From patchwork Thu May 19 11:27:41 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dirk Neukirchen X-Patchwork-Id: 623960 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3r9TTg1Gkcz9t3w for ; Thu, 19 May 2016 21:33:27 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1b3MAt-00082I-EP; Thu, 19 May 2016 11:31:31 +0000 Received: from mout.web.de ([212.227.15.4]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1b3MAq-0007wa-GI for lede-dev@lists.infradead.org; Thu, 19 May 2016 11:31:30 +0000 Received: from tenchi-htpc.lan ([91.66.244.150]) by smtp.web.de (mrweb003) with ESMTPSA (Nemesis) id 0LzsHL-1bh8fb34b5-0154K0 for ; Thu, 19 May 2016 13:31:04 +0200 From: Dirk Neukirchen To: lede-dev@lists.infradead.org Date: Thu, 19 May 2016 13:27:41 +0200 Message-Id: <1463657261-25698-1-git-send-email-dirkneukirchen@web.de> X-Mailer: git-send-email 2.8.2 X-Provags-ID: V03:K0:VvJr4uL6mSM6MnaAVJ7pzRF0I7JWhSN1eQ8zmy5BzlkC5aD/Uby romYAbWGixGai6eMlP/28ViDJzoSryWRw3MONkS6vrt8weZ4TRa0mQw0riZDojakM1zXjZ+ hHHAjrrthRkcgWkHMYTB6WhLab5V8jgrufsBMqOgHESD2FoedBOZHI76kwmFqx3zBNdzaiP 1KIfUVzuF0dy1CVgzXRNA== X-UI-Out-Filterresults: notjunk:1; V01:K0:1WkGgCrS4H0=:M0kSLoGod4EmqPESE/4hc3 z52ZNLySj32a+DB4FFAnqEshZg0Hp1WRsZapf++MOApV50Yycm9+4O1ZSe357fc/ErY7zcpkd t4uYOJBxPFa+vJxdSEu/urkPCGJscLR12S5ZJYT2ToOB3wG8neFkBLoDeuZMiqEOkCOwBKs1Z /ODtlfZMy6pQNSsoGBDyes3r68u1mL7XpE5uHxk1zxz58sI+aqDHVX+zKjnWh9Ya0iRwyykrz KMFcqdyGhdVAAuq4L59iTWBgg4e+z7SfOOsEF2AWHPvKqji1sWmNHK+zxO4LEHKv49bBwSct5 NYpyEehAXefeQUs4LOw/AwjC1C9Uy94SainUObXP/TzkPanTYUbujbpzvAhadNVbSK+KkxhuO Z+uZyqUiVqIrgBfOU/NNXkx6/YlgMInlvQPq+63RL0Uw9f1XFFhnoLJykMHNZyFd2Vlw3xRTL eM8M+DOvkRhGoXRAe8G/4WouzPzHU98gMlZE6xnGYqItdOsggVu59zSOdRsx8mOkLaHoPkGg1 A2jHoYxV+s2rZELIJ5+jesCNpAk2sAO1GfxyYb9h9e3w4gAxDSQtt8+4kZEkbPZy8QGKhhLr5 Vigk+SMH/+te56qG4lnaGZgeDNbuc0qyjYA1d/X2crIJS9MUcO90p6DBl6IOysWK7sfMQhewo vIivt4d4fJJQgmzbM4H/J9mOYpZOlgTSWA+COTNU7CC7c8v9MvCFWI4c2FrUqW0IPI258eSvx AKDY3Xx443WDeNReNUt1I85NgtzJS+X3HHRuUdn8nZDyEGHi9VDyRpy4uIc= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160519_043128_929273_DBEDFC87 X-CRM114-Status: GOOD ( 10.36 ) X-Spam-Score: -4.0 (----) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-4.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [212.227.15.4 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.15.4 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (dirkneukirchen[at]web.de) -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Subject: [LEDE-DEV] [PATCH] curl: update to 7.49 X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "Lede-dev" Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org fixes: CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL - remove crypto auth compile fix curl changelog of 7.46 states its fixed - fix mbedtls and cyassl usability #19621 : add path to certificate file (from Mozilla via curl) and provide this in a new package tested on ar71xx w. curl/mbedtls/wolfssl Signed-off-by: Dirk Neukirchen --- package/network/utils/curl/Makefile | 15 ++++++------- .../utils/curl/patches/200-no_docs_tests.patch | 10 ++++----- .../curl/patches/300-fix-disable-crypto-auth.patch | 25 ---------------------- ...10-polarssl-disable-runtime-version-check.patch | 4 ++-- 4 files changed, 14 insertions(+), 40 deletions(-) delete mode 100644 package/network/utils/curl/patches/300-fix-disable-crypto-auth.patch diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index af38ed4..4b41ac3 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=curl -PKG_VERSION:=7.48.0 +PKG_VERSION:=7.49.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 @@ -18,7 +18,7 @@ PKG_SOURCE_URL:=http://curl.haxx.se/download/ \ ftp://ftp.planetmirror.com/pub/curl/ \ http://www.mirrormonster.com/curl/download/ \ http://curl.mirrors.cyberservers.net/download/ -PKG_MD5SUM:=d42e0fc34a5cace5739631cc040974fe +PKG_MD5SUM:=7416aaff4a9210b43edda7615ffa4169 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=COPYING @@ -109,7 +109,6 @@ CONFIGURE_ARGS += \ --enable-shared \ --enable-static \ --disable-manual \ - --without-ca-bundle \ --without-nss \ --without-libmetalink \ --without-librtmp \ @@ -117,11 +116,11 @@ CONFIGURE_ARGS += \ $(call autoconf_bool,CONFIG_IPV6,ipv6) \ \ $(if $(CONFIG_LIBCURL_AXTLS),--with-axtls="$(STAGING_DIR)/usr" --without-ca-path,--without-axtls) \ - $(if $(CONFIG_LIBCURL_CYASSL),--with-cyassl="$(STAGING_DIR)/usr" --without-ca-path,--without-cyassl) \ - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" --with-ca-path=/etc/ssl/certs,--without-gnutls) \ - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" --with-ca-path=/etc/ssl/certs,--without-ssl) \ - $(if $(CONFIG_LIBCURL_POLARSSL),--with-polarssl="$(STAGING_DIR)/usr" --with-ca-path=/etc/ssl/certs,--without-polarssl) \ - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" --without-ca-path,--without-mbedtls) \ + $(if $(CONFIG_LIBCURL_CYASSL),--with-cyassl="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \ + $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \ + $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \ + $(if $(CONFIG_LIBCURL_POLARSSL),--with-polarssl="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-polarssl) \ + $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \ \ $(if $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) \ $(if $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) \ diff --git a/package/network/utils/curl/patches/200-no_docs_tests.patch b/package/network/utils/curl/patches/200-no_docs_tests.patch index 4ac5bad..6f86d4c 100644 --- a/package/network/utils/curl/patches/200-no_docs_tests.patch +++ b/package/network/utils/curl/patches/200-no_docs_tests.patch @@ -3,8 +3,8 @@ @@ -150,7 +150,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) bin_SCRIPTS = curl-config - SUBDIRS = lib src include scripts --DIST_SUBDIRS = $(SUBDIRS) tests packages docs + SUBDIRS = lib src include +-DIST_SUBDIRS = $(SUBDIRS) tests packages docs scripts +DIST_SUBDIRS = $(SUBDIRS) packages pkgconfigdir = $(libdir)/pkgconfig @@ -14,9 +14,9 @@ @@ -611,7 +611,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) bin_SCRIPTS = curl-config - SUBDIRS = lib src include scripts --DIST_SUBDIRS = $(SUBDIRS) tests packages docs + SUBDIRS = lib src include +-DIST_SUBDIRS = $(SUBDIRS) tests packages docs scripts +DIST_SUBDIRS = $(SUBDIRS) packages pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = libcurl.pc - LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c \ + LIB_VAUTH_CFILES = vauth/vauth.c vauth/cleartext.c vauth/cram.c \ diff --git a/package/network/utils/curl/patches/300-fix-disable-crypto-auth.patch b/package/network/utils/curl/patches/300-fix-disable-crypto-auth.patch deleted file mode 100644 index 5c0a37e..0000000 --- a/package/network/utils/curl/patches/300-fix-disable-crypto-auth.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- a/lib/curl_ntlm_msgs.c -+++ b/lib/curl_ntlm_msgs.c -@@ -573,7 +573,7 @@ CURLcode Curl_sasl_create_ntlm_type3_mes - else - #endif - --#if USE_NTRESPONSES && USE_NTLM2SESSION -+#if USE_NTRESPONSES && USE_NTLM2SESSION && !defined(CURL_DISABLE_CRYPTO_AUTH) - /* We don't support NTLM2 if we don't have USE_NTRESPONSES */ - if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) { - unsigned char ntbuffer[0x18]; ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -921,9 +921,9 @@ CURLcode Curl_ssl_md5sum(unsigned char * - unsigned char *md5sum, /* output */ - size_t md5len) - { --#ifdef curlssl_md5sum -+#if defined(curlssl_md5sum) - curlssl_md5sum(tmp, tmplen, md5sum, md5len); --#else -+#elif !defined(CURL_DISABLE_CRYPTO_AUTH) - MD5_context *MD5pw; - - (void) md5len; diff --git a/package/network/utils/curl/patches/310-polarssl-disable-runtime-version-check.patch b/package/network/utils/curl/patches/310-polarssl-disable-runtime-version-check.patch index 7f7937b..bb622ee 100644 --- a/package/network/utils/curl/patches/310-polarssl-disable-runtime-version-check.patch +++ b/package/network/utils/curl/patches/310-polarssl-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c -@@ -592,7 +592,7 @@ void Curl_polarssl_session_free(void *pt +@@ -653,7 +653,7 @@ void Curl_polarssl_session_free(void *pt size_t Curl_polarssl_version(char *buffer, size_t size) { @@ -11,7 +11,7 @@ version>>24, (version>>16)&0xff, (version>>8)&0xff); --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c -@@ -712,7 +712,7 @@ void Curl_mbedtls_session_free(void *ptr +@@ -701,7 +701,7 @@ void Curl_mbedtls_session_free(void *ptr size_t Curl_mbedtls_version(char *buffer, size_t size) {