[debian-lts]curl package
Hi all,
I would like to send debdiff file of package curl for reviewing.
Could any one please review it and give me some comments.
Thanks and best regards
Cong
--
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel: +84-4-2220 8801 (Ext. 208)
e-mail:cong.nguyenthe@toshiba-tsdv.com
=====================================================================
Note: This e-mail message may contain personal information or confidential information. If you are not the addressee of this message, please delete this message and kindly notify the sender as soon as possible - do not copy, use, or disclose this message.
diff -Nru curl-7.21.0/debian/changelog curl-7.21.0/debian/changelog
--- curl-7.21.0/debian/changelog 2014-11-09 21:32:50.000000000 +0700
+++ curl-7.21.0/debian/changelog 2015-01-12 10:10:53.000000000 +0700
@@ -1,3 +1,11 @@
+curl (7.21.0-2.1+squeeze11) squeeze-lts; urgency=high
+
+ * Non-maintainer upload.
+ * Fix URL request injection as in CVE-2014-8150
+ http://curl.haxx.se/docs/adv_20150108B.html
+
+ -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> Mon, 12 Jan 2015 10:09:24 +0700
+
curl (7.21.0-2.1+squeeze10) squeeze-lts; urgency=high
* Non-maintainer upload by the Squeeze LTS Team.
diff -Nru curl-7.21.0/debian/patches/CVE-2014-8150.patch curl-7.21.0/debian/patches/CVE-2014-8150.patch
--- curl-7.21.0/debian/patches/CVE-2014-8150.patch 1970-01-01 08:00:00.000000000 +0800
+++ curl-7.21.0/debian/patches/CVE-2014-8150.patch 2015-01-12 10:08:44.000000000 +0700
@@ -0,0 +1,30 @@
+Description: url-parsing: reject CRLFs within URLs
+ When libcurl sends a request to a server via a HTTP proxy,
+ it copies the entire URL into the request and sends if off.
+ If the given URL contains line feeds and carriage returns
+ those will be sent along to the proxy too, which allows the
+ program to for example send a separate HTTP request injected
+ embedded in the URL.
+Author: Daniel Stenberg <daniel@haxx.se>
+Origin: upstreams, http://curl.haxx.se/CVE-2014-8150.patch
+Bug: http://curl.haxx.se/docs/adv_20150108B.html
+Last-Update: 2015-01-10
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3541,6 +3541,14 @@ static CURLcode parseurlandfillconn(stru
+
+ *prot_missing = FALSE;
+
++ /* We might pass the entire URL into the request so we need to make sure
++ * there are no bad characters in there.*/
++ if(strpbrk(data->change.url, "\r\n")) {
++ failf(data, "Illegal characters found in URL");
++ return CURLE_URL_MALFORMAT;
++ }
++
++
+ /*************************************************************
+ * Parse the URL.
+ *
diff -Nru curl-7.21.0/debian/patches/series curl-7.21.0/debian/patches/series
--- curl-7.21.0/debian/patches/series 2014-11-09 01:02:20.000000000 +0700
+++ curl-7.21.0/debian/patches/series 2015-01-12 10:08:44.000000000 +0700
@@ -23,5 +23,6 @@
18_CVE-2014-3707.patch
# this must be the last
+CVE-2014-8150.patch
curl_links_with_rt
gnutls
Reply to: