cpet
/
openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

net/curl: security update to 7.87.0 

Includes fixes for
CVE-2022-43551: Another HSTS bypass via IDN
CVE-2022-43552: HTTP Proxy deny use-after-free

Note that this port does not enable IDN support.
This commit is contained in:
naddy 2022-12-24 21:27:29 +00:00
parent a2bdee4131
commit d09f756f77
4 changed files with 5 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
net/curl/Makefile
View File

@ -1,8 +1,7 @@
COMMENT= transfer files with FTP, HTTP, HTTPS, etc.
DISTNAME= curl-7.86.0
REVISION= 1
SHARED_LIBS= curl 26.17 # 12.0
DISTNAME= curl-7.87.0
SHARED_LIBS= curl 26.18 # 12.0
CATEGORIES= net
HOMEPAGE= https://curl.se/

4
net/curl/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (curl-7.86.0.tar.xz) = LWERbl9IVYH21ZhlN330Rj8ueIZ3rEMiK0ltTkn7Yns=
SIZE (curl-7.86.0.tar.xz) = 2518356
SHA256 (curl-7.87.0.tar.xz) = 7l8aGVWw7UE0Ne952yi4NOpfD7fIz7HORxdcw77gj/8=
SIZE (curl-7.87.0.tar.xz) = 2547932

96
net/curl/patches/patch-lib_noproxy_c
View File

@ -1,96 +0,0 @@
noproxy: also match with adjacent comma
https://github.com/curl/curl/commit/efc286b7a62af0568fdcbf3c68791c9955182128
noproxy: fix tail-matching
https://github.com/curl/curl/commit/b830f9ba9e94acf672cd191993ff679fa888838b
noproxy: tailmatch like in 7.85.0 and earlier
https://github.com/curl/curl/commit/b1953c1933b369b1217ef0f16053e26da63488c3
Index: lib/noproxy.c
--- lib/noproxy.c.orig
+++ lib/noproxy.c
@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *
}
else {
unsigned int address;
+ namelen = strlen(name);
if(1 == Curl_inet_pton(AF_INET, name, &address))
type = TYPE_IPV4;
- namelen = strlen(name);
+ else {
+ /* ignore trailing dots in the host name */
+ if(name[namelen - 1] == '.')
+ namelen--;
+ }
}
while(*p) {
@@ -173,33 +178,50 @@ bool Curl_check_noproxy(const char *name, const char *
if(tokenlen) {
switch(type) {
case TYPE_HOST:
- if(*token == '.') {
- ++token;
- --tokenlen;
- /* tailmatch */
- match = (tokenlen <= namelen) &&
- strncasecompare(token, name + (namelen - tokenlen), namelen);
+ /* ignore trailing dots in the token to check */
+ if(token[tokenlen - 1] == '.')
+ tokenlen--;
+
+ if(tokenlen && (*token == '.')) {
+ /* ignore leading token dot as well */
+ token++;
+ tokenlen--;
}
- else
- match = (tokenlen == namelen) &&
- strncasecompare(token, name, namelen);
+ /* A: example.com matches 'example.com'
+ B: www.example.com matches 'example.com'
+ C: nonexample.com DOES NOT match 'example.com'
+ */
+ if(tokenlen == namelen)
+ /* case A, exact match */
+ match = strncasecompare(token, name, namelen);
+ else if(tokenlen < namelen) {
+ /* case B, tailmatch domain */
+ match = (name[namelen - tokenlen - 1] == '.') &&
+ strncasecompare(token, name + (namelen - tokenlen),
+ tokenlen);
+ }
+ /* case C passes through, not a match */
break;
case TYPE_IPV4:
/* FALLTHROUGH */
case TYPE_IPV6: {
const char *check = token;
- char *slash = strchr(check, '/');
+ char *slash;
unsigned int bits = 0;
char checkip[128];
+ if(tokenlen >= sizeof(checkip))
+ /* this cannot match */
+ break;
+ /* copy the check name to a temp buffer */
+ memcpy(checkip, check, tokenlen);
+ checkip[tokenlen] = 0;
+ check = checkip;
+
+ slash = strchr(check, '/');
/* if the slash is part of this token, use it */
- if(slash && (slash < &check[tokenlen])) {
+ if(slash) {
bits = atoi(slash + 1);
- /* copy the check name to a temp buffer */
- if(tokenlen >= sizeof(checkip))
- break;
- memcpy(checkip, check, tokenlen);
- checkip[ slash - check ] = 0;
- check = checkip;
+ *slash = 0; /* null terminate there */
}
if(type == TYPE_IPV6)
match = Curl_cidr6_match(name, check, bits);

1
net/curl/pkg/PLIST
View File

@ -119,6 +119,7 @@ lib/pkgconfig/libcurl.pc
@man man/man3/CURLOPT_CAINFO.3
@man man/man3/CURLOPT_CAINFO_BLOB.3
@man man/man3/CURLOPT_CAPATH.3
@man man/man3/CURLOPT_CA_CACHE_TIMEOUT.3
@man man/man3/CURLOPT_CERTINFO.3
@man man/man3/CURLOPT_CHUNK_BGN_FUNCTION.3
@man man/man3/CURLOPT_CHUNK_DATA.3