From patchwork Mon May 13 16:40:57 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gustavo Zacarias <gustavo@zacarias.com.ar>
X-Patchwork-Id: 243445
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from fraxinus.osuosl.org (fraxinus.osuosl.org [140.211.166.137])
	by ozlabs.org (Postfix) with ESMTP id B5A3D2C00A9
	for <incoming@patchwork.ozlabs.org>;
	Tue, 14 May 2013 02:41:33 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 4A4C8103AA4;
	Mon, 13 May 2013 16:41:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id LCtQ1-phX7MQ; Mon, 13 May 2013 16:41:09 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by fraxinus.osuosl.org (Postfix) with ESMTP id BBEF2101AC4;
	Mon, 13 May 2013 16:41:09 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (whitealder.osuosl.org
	[140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id 76D478F79A
	for <buildroot@lists.busybox.net>;
	Mon, 13 May 2013 16:41:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 366008A935
	for <buildroot@lists.busybox.net>;
	Mon, 13 May 2013 16:41:27 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 311dxvyFTPG1 for <buildroot@lists.busybox.net>;
	Mon, 13 May 2013 16:41:25 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from loknar.toptech.com.ar (loknar.toptech.com.ar [78.46.79.162])
	by whitealder.osuosl.org (Postfix) with ESMTPS id 1FB558A885
	for <buildroot@busybox.net>; Mon, 13 May 2013 16:41:24 +0000 (UTC)
Received: from asgard (host147.190-138-228.telecom.net.ar [190.138.228.147])
	(authenticated bits=0)
	by loknar.toptech.com.ar (8.14.7/8.14.7) with ESMTP id r4DGfIKM001443
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO); Mon, 13 May 2013 16:41:20 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zacarias.com.ar;
	s=dkey; t=1368463282;
	bh=A3x0OW7KyFwT8DqC+1MzqDgkYdvYTgkqmTtKhYDeqlg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=FR+C5XsIfxRiUF+U4Sabp+rXR8MDfWF2BwtD+Og8m1mcj64ziOQCtQa00j3hZEXLc
	4sge5fwveJfWcD8BGpjmBjhLXGF5HlIpnjwVEU8EFabnyr9C0tKIR0+IT0XQpauN0m
	TPMcTC9fdCccQ1kM868g0NuB3LKix4l7xBXrx3k0=
Received: by asgard (sSMTP sendmail emulation);
	Mon, 13 May 2013 13:41:17 -0300
From: Gustavo Zacarias <gustavo@zacarias.com.ar>
To: buildroot@busybox.net
Date: Mon, 13 May 2013 13:40:57 -0300
Message-Id: <1368463259-18958-4-git-send-email-gustavo@zacarias.com.ar>
X-Mailer: git-send-email 1.8.1.5
In-Reply-To: <1368463259-18958-1-git-send-email-gustavo@zacarias.com.ar>
References: <1368463259-18958-1-git-send-email-gustavo@zacarias.com.ar>
X-Virus-Scanned: clamav-milter 0.97.7 at loknar
X-Virus-Status: Clean
Subject: [Buildroot] [PATCH 4/6] libcurl: bump to version 7.30.0
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: buildroot-bounces@busybox.net

And add support for other SSL backends such as gnutls, nss and polarssl.
Also add support for libidn and zlib.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/libcurl/libcurl-01-CVE-2013-0249.patch | 65 --------------------------
 package/libcurl/libcurl-02-CVE-2013-1944.patch | 57 ----------------------
 package/libcurl/libcurl.mk                     | 26 ++++++++---
 3 files changed, 20 insertions(+), 128 deletions(-)
 delete mode 100644 package/libcurl/libcurl-01-CVE-2013-0249.patch
 delete mode 100644 package/libcurl/libcurl-02-CVE-2013-1944.patch

diff --git a/package/libcurl/libcurl-01-CVE-2013-0249.patch b/package/libcurl/libcurl-01-CVE-2013-0249.patch
deleted file mode 100644
index 7d2af2a..0000000
--- a/package/libcurl/libcurl-01-CVE-2013-0249.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From ee45a34907ffeb5fd95b0513040d8491d565b663 Mon Sep 17 00:00:00 2001
-From: Eldar Zaitov <kyprizel@volema.com>
-Date: Wed, 30 Jan 2013 23:22:27 +0100
-Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow
-
-When negotiating SASL DIGEST-MD5 authentication, the function
-Curl_sasl_create_digest_md5_message() uses the data provided from the
-server without doing the proper length checks and that data is then
-appended to a local fixed-size buffer on the stack.
-
-This vulnerability can be exploited by someone who is in control of a
-server that a libcurl based program is accessing with POP3, SMTP or
-IMAP. For applications that accept user provided URLs, it is also
-thinkable that a malicious user would feed an application with a URL to
-a server hosting code targetting this flaw.
-
-Bug: http://curl.haxx.se/docs/adv_20130206.html
----
- lib/curl_sasl.c |   23 ++++++-----------------
- 1 file changed, 6 insertions(+), 17 deletions(-)
-
-diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
-index 57116b6..d07387d 100644
---- a/lib/curl_sasl.c
-+++ b/lib/curl_sasl.c
-@@ -346,9 +346,7 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
-     snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
- 
-   /* Prepare the URL string */
--  strcpy(uri, service);
--  strcat(uri, "/");
--  strcat(uri, realm);
-+  snprintf(uri, sizeof(uri), "%s/%s", service, realm);
- 
-   /* Calculate H(A2) */
-   ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
-@@ -392,20 +390,11 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
-   for(i = 0; i < MD5_DIGEST_LEN; i++)
-     snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
- 
--  strcpy(response, "username=\"");
--  strcat(response, userp);
--  strcat(response, "\",realm=\"");
--  strcat(response, realm);
--  strcat(response, "\",nonce=\"");
--  strcat(response, nonce);
--  strcat(response, "\",cnonce=\"");
--  strcat(response, cnonce);
--  strcat(response, "\",nc=");
--  strcat(response, nonceCount);
--  strcat(response, ",digest-uri=\"");
--  strcat(response, uri);
--  strcat(response, "\",response=");
--  strcat(response, resp_hash_hex);
-+  snprintf(response, sizeof(response),
-+           "username=\"%s\",realm=\"%s\",nonce=\"%s\","
-+           "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
-+           userp, realm, nonce,
-+           cnonce, nonceCount, uri, resp_hash_hex);
- 
-   /* Base64 encode the reply */
-   return Curl_base64_encode(data, response, 0, outptr, outlen);
--- 
-1.7.10.4
-
diff --git a/package/libcurl/libcurl-02-CVE-2013-1944.patch b/package/libcurl/libcurl-02-CVE-2013-1944.patch
deleted file mode 100644
index 18d9c2d..0000000
--- a/package/libcurl/libcurl-02-CVE-2013-1944.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 3604fde3d3c9b0d0e389e079aecf470d123ba180 Mon Sep 17 00:00:00 2001
-From: YAMADA Yasuharu <yasuharu.yamada@access-company.com>
-Date: Thu, 11 Apr 2013 00:17:15 +0200
-Subject: [PATCH] cookie: fix tailmatching to prevent cross-domain leakage
-
-Cookies set for 'example.com' could accidentaly also be sent by libcurl
-to the 'bexample.com' (ie with a prefix to the first domain name).
-
-This is a security vulnerabilty, CVE-2013-1944.
-
-Bug: http://curl.haxx.se/docs/adv_20130412.html
----
- lib/cookie.c |   24 +++++++++++++++++++-----
- 1 file changed, 19 insertions(+), 5 deletions(-)
-
-diff --git a/lib/cookie.c b/lib/cookie.c
-index 4b9ec0b..a67204e 100644
---- a/lib/cookie.c
-+++ b/lib/cookie.c
-@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co)
-   free(co);
- }
- 
--static bool tailmatch(const char *little, const char *bigone)
-+static bool tailmatch(const char *cooke_domain, const char *hostname)
- {
--  size_t littlelen = strlen(little);
--  size_t biglen = strlen(bigone);
-+  size_t cookie_domain_len = strlen(cooke_domain);
-+  size_t hostname_len = strlen(hostname);
- 
--  if(littlelen > biglen)
-+  if(hostname_len < cookie_domain_len)
-     return FALSE;
- 
--  return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE;
-+  if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
-+    return FALSE;
-+
-+  /* A lead char of cookie_domain is not '.'.
-+     RFC6265 4.1.2.3. The Domain Attribute says:
-+       For example, if the value of the Domain attribute is
-+       "example.com", the user agent will include the cookie in the Cookie
-+       header when making HTTP requests to example.com, www.example.com, and
-+       www.corp.example.com.
-+   */
-+  if(hostname_len == cookie_domain_len)
-+    return TRUE;
-+  if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
-+    return TRUE;
-+  return FALSE;
- }
- 
- /*
--- 
-1.7.10.4
-
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index f0236d9..39eef10 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,9 +4,12 @@
 #
 #############################################################
 
-LIBCURL_VERSION = 7.28.1
+LIBCURL_VERSION = 7.30.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
 LIBCURL_SITE = http://curl.haxx.se/download
+LIBCURL_DEPENDENCIES = host-pkgconf \
+	$(if $(BR2_PACKAGE_ZLIB),zlib) \
+	$(if $(BR2_PACKAGE_LIBIDN),libidn)
 LIBCURL_LICENSE = ICS
 LIBCURL_LICENSE_FILES = COPYING
 LIBCURL_INSTALL_STAGING = YES
@@ -15,23 +18,34 @@ LIBCURL_INSTALL_STAGING = YES
 # on non-MMU platforms. Moreover, this authentication method is
 # probably almost never used. See
 # http://curl.haxx.se/docs/manpage.html#--ntlm.
-LIBCURL_CONF_OPT = --disable-verbose --disable-manual \
-	--enable-hidden-symbols --disable-ntlm-wb
+LIBCURL_CONF_OPT = --disable-verbose --disable-manual --disable-ntlm-wb \
+	--enable-hidden-symbols --with-random=/dev/urandom
 LIBCURL_CONFIG_SCRIPTS = curl-config
 
 ifeq ($(BR2_PACKAGE_OPENSSL),y)
-LIBCURL_DEPENDENCIES += openssl
 LIBCURL_CONF_ENV += ac_cv_lib_crypto_CRYPTO_lock=yes
 # configure adds the cross openssl dir to LD_LIBRARY_PATH which screws up
 # native stuff during the rest of configure when target == host.
 # Fix it by setting LD_LIBRARY_PATH to something sensible so those libs
 # are found first.
+LIBCURL_DEPENDENCIES += openssl
 LIBCURL_CONF_ENV += LD_LIBRARY_PATH=$$LD_LIBRARY_PATH:/lib:/usr/lib
 LIBCURL_CONF_OPT += --with-ssl=$(STAGING_DIR)/usr \
-	--with-random=/dev/urandom \
 	--with-ca-path=/etc/ssl/certs
+LIBCURL_DEPENDENCIES += openssl
+else ifeq ($(BR2_PACKAGE_GNUTLS),y)
+LIBCURL_CONF_OPT += --with-gnutls=$(STAGING_DIR)/usr
+LIBCURL_DEPENDENCIES += gnutls
+else ifeq ($(BR2_PACKAGE_POLARSSL),y)
+LIBCURL_CONF_OPT += --with-polarssl=$(STAGING_DIR)/usr
+LIBCURL_DEPENDENCIES += polarssl
+else ifeq ($(BR2_PACKAGE_LIBNSS),y)
+LIBCURL_CONF_OPT += --with-nss=$(STAGING_DIR)/usr
+LIBCURL_CONF_ENV += CPPFLAGS="$(TARGET_CPPFLAGS) `$(PKG_CONFIG_HOST_BINARY) nspr nss --cflags`"
+LIBCURL_DEPENDENCIES += libnss
 else
-LIBCURL_CONF_OPT += --without-ssl
+LIBCURL_CONF_OPT += --without-ssl --without-gnutls \
+	--without-polarssl --without-nss
 endif
 
 define LIBCURL_FIX_DOT_PC