- update to 7.19.4 (fixes CVE-2009-0037)

- fix leak in curl_easy* functions, thanks to Kamil Dudka
- drop nss-fix patch, applied upstream

.cvsignore

@@ -1,2 +1 @@
-curl-7.18.2.tar.bz2
+curl-7.19.4.tar.bz2
-curl-7.19.3.tar.bz2

curl-7.19.3-nss-fix.patch

@@ -1,22 +0,0 @@
-diff -ruNp curl-7.19.3.orig/lib/nss.c curl-7.19.3/lib/nss.c
---- curl-7.19.3.orig/lib/nss.c	2009-01-07 15:12:01.000000000 +0100
-+++ curl-7.19.3/lib/nss.c	2009-02-16 11:39:41.912075708 +0100
-@@ -1140,7 +1140,7 @@ CURLcode Curl_nss_connect(struct connect
-       n = strrchr(data->set.str[STRING_CERT], '/');
-       if(n) {
-         n++; /* skip last slash */
--        nickname = aprintf(nickname, "PEM Token #%d:%s", 1, n);
-+        nickname = aprintf("PEM Token #%d:%s", 1, n);
-         if(!nickname)
-           return CURLE_OUT_OF_MEMORY;
- 
-@@ -1171,7 +1171,8 @@ CURLcode Curl_nss_connect(struct connect
- 
-     if(SSL_GetClientAuthDataHook(model,
-                                  (SSLGetClientAuthData) SelectClientCert,
--                                 (void *)connssl) != SECSuccess) {
-+                                 (void *)connssl->client_nickname) !=
-+       SECSuccess) {
-       curlerr = CURLE_SSL_CERTPROBLEM;
-       goto error;
-     }

curl-7.19.4-easy-leak.patch

@@ -0,0 +1,36 @@
+diff -up curl-7.19.4/lib/easy.c.easy-leak curl-7.19.4/lib/easy.c
+--- curl-7.19.4/lib/easy.c.easy-leak	2009-01-29 21:41:51.000000000 +0100
++++ curl-7.19.4/lib/easy.c	2009-03-03 07:54:58.000000000 +0100
+@@ -352,13 +352,11 @@ CURL *curl_easy_init(void)
+   struct SessionHandle *data;
+ 
+   /* Make sure we inited the global SSL stuff */
+-  if(!initialized) {
+-    res = curl_global_init(CURL_GLOBAL_DEFAULT);
+-    if(res) {
+-      /* something in the global init failed, return nothing */
+-      DEBUGF(fprintf(stderr, "Error: curl_global_init failed\n"));
+-      return NULL;
+-    }
++  res = curl_global_init(CURL_GLOBAL_DEFAULT);
++  if(res) {
++    /* something in the global init failed, return nothing */
++    DEBUGF(fprintf(stderr, "Error: curl_global_init failed\n"));
++    return NULL;
+   }
+ 
+   /* We use curl_open() with undefined URL so far */
+@@ -549,10 +547,10 @@ void curl_easy_cleanup(CURL *curl)
+ {
+   struct SessionHandle *data = (struct SessionHandle *)curl;
+ 
+-  if(!data)
+-    return;
++  if(data)
++    Curl_close(data);
+ 
+-  Curl_close(data);
++  curl_global_cleanup();
+ }
+ 
+ /*

curl.spec

@@ -1,14 +1,14 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.19.3
+Version: 7.19.4
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
 Patch1: curl-7.15.3-multilib.patch
 Patch2: curl-7.16.0-privlibs.patch
 Patch3: curl-7.17.1-badsocket.patch
-Patch4: curl-7.19.3-nss-fix.patch
+Patch4: curl-7.19.4-easy-leak.patch
 Provides: webclient
 URL: http://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -49,7 +49,7 @@ use cURL's capabilities internally.
 %patch1 -p1 -b .multilib
 %patch2 -p1 -b .privlibs
 %patch3 -p1 -b .badsocket
-%patch4 -p1 -b .nssfix
+%patch4 -p1 -b .easy-leak
 
 # Convert docs to UTF-8
 for f in CHANGES README; do
@@ -118,6 +118,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Tue Mar 03 2009 Jindrich Novy <jnovy@redhat.com> 7.19.4-1
+- update to 7.19.4 (fixes CVE-2009-0037)
+- fix leak in curl_easy* functions, thanks to Kamil Dudka
+- drop nss-fix patch, applied upstream
+
 * Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.19.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
 

sources

@@ -1 +1 @@
-10eb8c13350c735eff20d7b4530be8cd  curl-7.19.3.tar.bz2
+2734167c1e5f7ce6be99b75d2d371d85  curl-7.19.4.tar.bz2