add patch from upstream to fix possible buffer overflow in URL parser (CVE-2013-2174), bump PKGREVdiff -r1.128 -r1.129 pkgsrc/www/curl/Makefile
(drochner)
@@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.128 2013/05/31 12:42:31 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.129 2013/06/29 12:08:50 drochner Exp $ | |
2 | 2 | |||
3 | DISTNAME= curl-7.30.0 | 3 | DISTNAME= curl-7.30.0 | |
4 | PKGREVISION= 1 | 4 | PKGREVISION= 2 | |
5 | CATEGORIES= www | 5 | CATEGORIES= www | |
6 | MASTER_SITES= http://curl.haxx.se/download/ \ | 6 | MASTER_SITES= http://curl.haxx.se/download/ \ | |
7 | ftp://ftp.sunet.se/pub/www/utilities/curl/ | 7 | ftp://ftp.sunet.se/pub/www/utilities/curl/ | |
8 | EXTRACT_SUFX= .tar.bz2 | 8 | EXTRACT_SUFX= .tar.bz2 | |
9 | 9 | |||
10 | MAINTAINER= pkgsrc-users@NetBSD.org | 10 | MAINTAINER= pkgsrc-users@NetBSD.org | |
11 | HOMEPAGE= http://curl.haxx.se/ | 11 | HOMEPAGE= http://curl.haxx.se/ | |
12 | COMMENT= Client that groks URLs | 12 | COMMENT= Client that groks URLs | |
13 | # not completely, but near enough | 13 | # not completely, but near enough | |
14 | LICENSE= mit | 14 | LICENSE= mit | |
15 | 15 | |||
16 | PKG_INSTALLATION_TYPES= overwrite pkgviews | 16 | PKG_INSTALLATION_TYPES= overwrite pkgviews | |
17 | 17 |
@@ -1,7 +1,8 @@ | @@ -1,7 +1,8 @@ | |||
1 | $NetBSD: distinfo,v 1.85 2013/04/14 16:39:48 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.86 2013/06/29 12:08:50 drochner Exp $ | |
2 | 2 | |||
3 | SHA1 (curl-7.30.0.tar.bz2) = 23fdc215558023b943cea9dfab04b86020037b0d | 3 | SHA1 (curl-7.30.0.tar.bz2) = 23fdc215558023b943cea9dfab04b86020037b0d | |
4 | RMD160 (curl-7.30.0.tar.bz2) = 858e772c17fc05d7114856f09fc34e696f1ef595 | 4 | RMD160 (curl-7.30.0.tar.bz2) = 858e772c17fc05d7114856f09fc34e696f1ef595 | |
5 | Size (curl-7.30.0.tar.bz2) = 2625976 bytes | 5 | Size (curl-7.30.0.tar.bz2) = 2625976 bytes | |
6 | SHA1 (patch-CVE-2013-2174) = 30b9f66fbc1112ba1dc361002768a0597ac1456b | |||
6 | SHA1 (patch-aa) = 07e12cd0576b87cfed74a6a2bf8dd42cb2f5a570 | 7 | SHA1 (patch-aa) = 07e12cd0576b87cfed74a6a2bf8dd42cb2f5a570 | |
7 | SHA1 (patch-curl-config.in) = c685dd4fd85fc9d97c6e6ff8dbf871c35dd57046 | 8 | SHA1 (patch-curl-config.in) = c685dd4fd85fc9d97c6e6ff8dbf871c35dd57046 |
$NetBSD: patch-CVE-2013-2174,v 1.1 2013/06/29 12:08:50 drochner Exp $
see http://curl.haxx.se/docs/adv_20130622.html
--- lib/escape.c.orig 2013-01-16 22:05:56.000000000 +0000
+++ lib/escape.c
@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHa
while(--alloc > 0) {
in = *string;
- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
+ if(('%' == in) && (alloc > 2) &&
+ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
/* this is two hexadecimal digits following a '%' */
char hexstr[3];
char *ptr;