[gnome-continuous-yocto/gnomeostree-3.22-krogoth: 15/246] curl: security fix for CVE-2016-5421

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.22-krogoth: 15/246] curl: security fix for CVE-2016-5421
Date: Thu, 14 Dec 2017 11:49:27 +0000 (UTC)

commit aad7166704021d82ad3a5ec468552f8f10360d41
Author: Maxin B. John <maxin john intel com>
Date:   Mon Aug 22 14:15:41 2016 +0300

    curl: security fix for CVE-2016-5421
    
    Affected versions: libcurl 7.32.0 to and including 7.50.0
    
    (From OE-Core rev: 2a9f4823483b6f5decc6d504858f06f66ab9e06c)
    
    Signed-off-by: Maxin B. John <maxin john intel com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 meta/recipes-support/curl/curl/CVE-2016-5421.patch |   36 ++++++++++++++++++++
 meta/recipes-support/curl/curl_7.47.1.bb           |    1 +
 2 files changed, 37 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-support/curl/curl/CVE-2016-5421.patch 
b/meta/recipes-support/curl/curl/CVE-2016-5421.patch
new file mode 100644
index 0000000..862da75
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-5421.patch
@@ -0,0 +1,36 @@
+From 75dc096e01ef1e21b6c57690d99371dedb2c0b80 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel haxx se>
+Date: Sun, 31 Jul 2016 01:09:04 +0200
+Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://curl.haxx.se/docs/adv_20160803C.html
+Reported-by: Marcelo Echeverria and Fernando Muñoz
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-5421.patch
+
+CVE: CVE-2016-5421
+Signed-off-by: Maxin B. John <maxin john intel com>
+---
+ lib/multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 9ee3523..8bb9366 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2157,6 +2157,8 @@ static void close_all_connections(struct Curl_multi *multi)
+     conn->data = multi->closure_handle;
+ 
+     sigpipe_ignore(conn->data, &pipe_st);
++    conn->data->easy_conn = NULL; /* clear the easy handle's connection
++                                     pointer */
+     /* This will remove the connection from the cache */
+     (void)Curl_disconnect(conn, FALSE);
+     sigpipe_restore(&pipe_st);
+-- 
+2.4.0
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb
index 8d459c7..6c71760 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2";
 SRC_URI += " file://configure_ac.patch \
              file://CVE-2016-5419.patch \
              file://CVE-2016-5420.patch \
+             file://CVE-2016-5421.patch \
            "
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]