libcurl: security bump to version 7.55.0

Message ID	4f33b3435349660c4e3f2b444104442e6a9498b1.1502386545.git.baruch@tkos.co.il
State	Accepted
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Baruch Siach <baruch@tkos.co.il> To: buildroot@busybox.net Date: Thu, 10 Aug 2017 20:35:45 +0300 Message-Id: <4f33b3435349660c4e3f2b444104442e6a9498b1.1502386545.git.baruch@tkos.co.il> Subject: [Buildroot] [PATCH] libcurl: security bump to version 7.55.0 Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>

Message ID

4f33b3435349660c4e3f2b444104442e6a9498b1.1502386545.git.baruch@tkos.co.il

State

Accepted

Headers

From: Baruch Siach <baruch@tkos.co.il>
To: buildroot@busybox.net
Date: Thu, 10 Aug 2017 20:35:45 +0300
Message-Id: <4f33b3435349660c4e3f2b444104442e6a9498b1.1502386545.git.baruch@tkos.co.il>
Subject: [Buildroot] [PATCH] libcurl: security bump to version 7.55.0
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Commit Message

Baruch Siach Aug. 10, 2017, 5:35 p.m. UTC

Fixes:

 glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
 tftp: reject file name lengths that don't fit (CVE-2017-1000100)
 file: output the correct buffer to the user (CVE-2017-1000099)

Switch to .tar.xz to save bandwidth.

Add reference to tarball signature.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 package/libcurl/libcurl.hash | 3 ++-
 package/libcurl/libcurl.mk   | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

Comments

Arnout Vandecappelle Aug. 11, 2017, 12:09 p.m. UTC | #1

On 10-08-17 19:35, Baruch Siach wrote:
> Fixes:
> 
>  glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
>  tftp: reject file name lengths that don't fit (CVE-2017-1000100)
>  file: output the correct buffer to the user (CVE-2017-1000099)
> 
> Switch to .tar.xz to save bandwidth.
> 
> Add reference to tarball signature.

 Nice!

> Signed-off-by: Baruch Siach <baruch@tkos.co.il>

 Applied to master, thanks.

 Regards,
 Arnout

Peter Korsgaard Sept. 5, 2017, 9:58 p.m. UTC | #2

>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:

 > Fixes:
 >  glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
 >  tftp: reject file name lengths that don't fit (CVE-2017-1000100)
 >  file: output the correct buffer to the user (CVE-2017-1000099)

 > Switch to .tar.xz to save bandwidth.

 > Add reference to tarball signature.

 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Committed to 2017.02.x, thanks.

diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 1b8d80fc9662..6d49b6742830 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,2 +1,3 @@ 
 # Locally calculated after checking pgp signature
-sha256 fdfc4df2d001ee0c44ec071186e770046249263c491fcae48df0e1a3ca8f25a0  curl-7.54.1.tar.bz2
+# https://curl.haxx.se/download/curl-7.55.0.tar.xz.asc
+sha256 cdd58522f8607fd4e871df79d73acb3155075e2134641e5adab12a0962df059d  curl-7.55.0.tar.xz
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 684844919e3a..dd0ccbfa4621 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,8 +4,8 @@ 
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.54.1
-LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
+LIBCURL_VERSION = 7.55.0
+LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.haxx.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
 	$(if $(BR2_PACKAGE_ZLIB),zlib) \

libcurl: security bump to version 7.55.0

Commit Message

Comments

Patch