Browse code
Apply patches for CVE-2018-16840, CVE-2018-16842
Change-Id: I3a1eb0041822d84361ddcd09a23e5a78ac8e2b5c
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6443
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
smaliakkal authored on 2019/01/04 07:10:35Showing 3 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,17 @@ |
| 0 |
+diff -ru a/lib/url.c b/lib/url.c |
|
| 1 |
+--- a/lib/url.c 2019-01-03 20:29:22.808975999 +0000 |
|
| 2 |
+@@ -320,10 +320,12 @@ |
|
| 3 |
+ and detach this handle from there. */ |
|
| 4 |
+ curl_multi_remove_handle(data->multi, data); |
|
| 5 |
+ |
|
| 6 |
+- if(data->multi_easy) |
|
| 7 |
++ if(data->multi_easy) {
|
|
| 8 |
+ /* when curl_easy_perform() is used, it creates its own multi handle to |
|
| 9 |
+ use and this is the one */ |
|
| 10 |
+ curl_multi_cleanup(data->multi_easy); |
|
| 11 |
++ data->multi_easy = NULL; |
|
| 12 |
++ } |
|
| 13 |
+ |
|
| 14 |
+ /* Destroy the timeout list that is held in the easy handle. It is |
|
| 15 |
+ /normally/ done by curl_multi_remove_handle() but this is "just in |
| 0 | 16 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,12 @@ |
| 0 |
+diff -ru a/src/tool_msgs.c b/src/tool_msgs.c |
|
| 1 |
+--- a/src/tool_msgs.c 2019-01-03 20:29:22.836975839 +0000 |
|
| 2 |
+@@ -67,7 +67,7 @@ |
|
| 3 |
+ (void)fwrite(ptr, cut + 1, 1, config->errors); |
|
| 4 |
+ fputs("\n", config->errors);
|
|
| 5 |
+ ptr += cut + 1; /* skip the space too */ |
|
| 6 |
+- len -= cut; |
|
| 7 |
++ len -= cut + 1; |
|
| 8 |
+ } |
|
| 9 |
+ else {
|
|
| 10 |
+ fputs(ptr, config->errors); |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: An URL retrieval utility and library |
| 2 | 2 |
Name: curl |
| 3 | 3 |
Version: 7.59.0 |
| 4 |
-Release: 3%{?dist}
|
|
| 4 |
+Release: 4%{?dist}
|
|
| 5 | 5 |
License: MIT |
| 6 | 6 |
URL: http://curl.haxx.se |
| 7 | 7 |
Group: System Environment/NetworkingLibraries |
| ... | ... |
@@ -12,6 +12,8 @@ Source0: http://curl.haxx.se/download/%{name}-%{version}.tar.gz
|
| 12 | 12 |
Patch0: curl-CVE-2018-1000300.patch |
| 13 | 13 |
Patch1: curl-CVE-2018-1000301.patch |
| 14 | 14 |
Patch2: curl-CVE-2018-0500.patch |
| 15 |
+Patch3: curl-CVE-2018-16840.patch |
|
| 16 |
+Patch4: curl-CVE-2018-16842.patch |
|
| 15 | 17 |
Requires: ca-certificates |
| 16 | 18 |
BuildRequires: ca-certificates |
| 17 | 19 |
Requires: openssl |
| ... | ... |
@@ -31,6 +33,8 @@ sed -i '/--static-libs)/{N;s#echo .*#echo #;}' curl-config.in
|
| 31 | 31 |
%patch0 -p1 |
| 32 | 32 |
%patch1 -p1 |
| 33 | 33 |
%patch2 -p1 |
| 34 |
+%patch3 -p1 |
|
| 35 |
+%patch4 -p1 |
|
| 34 | 36 |
%build |
| 35 | 37 |
./configure \ |
| 36 | 38 |
CFLAGS="%{optflags}" \
|
| ... | ... |
@@ -69,6 +73,8 @@ rm -rf %{buildroot}/*
|
| 69 | 69 |
%{_datarootdir}/aclocal/libcurl.m4
|
| 70 | 70 |
%{_docdir}/%{name}-%{version}
|
| 71 | 71 |
%changelog |
| 72 |
+* Thu Jan 03 2019 Siju Maliakkal <smaliakkal@vmware.com> 7.59.0-4 |
|
| 73 |
+- Apply patches for CVE-2018-16840, CVE-2018-16842 |
|
| 72 | 74 |
* Tue Sep 18 2018 Keerthana K <keerthanak@vmware.com> 7.59.0-3 |
| 73 | 75 |
- Fix for CVE-2018-0500 |
| 74 | 76 |
* Thu Jul 05 2018 Keerthana K <keerthanak@vmware.com> 7.59.0-2 |