compat-libcurl3: sync with curl 7.15.5-17.el5_9HEADmaster

1 files changed, 268 insertions, 0 deletions

diff --git a/curl-7.15.5-CVE-2013-2174.patch b/curl-7.15.5-CVE-2013-2174.patch
new file mode 100644
index 0000000..553b7d0
--- /dev/null
+++ b/curl-7.15.5-CVE-2013-2174.patch
@@ -0,0 +1,268 @@
+From ab181f4e1116322b13db55969fc5162e6a7c0114 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 4 Aug 2007 20:47:59 +0000
+Subject: [PATCH 1/4] Patrick Monnerat fixed curl_easy_escape() and curlx_strtoll() to work on non-ASCII systems.
+
+[upstream commit 1926f4573d43f35f33b524d120e847ea819cc7c7]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/escape.c |   29 ++++++++++++++++++++++-------
+ 1 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/lib/escape.c b/lib/escape.c
+index 18ae2e1..e0e696a 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -75,9 +75,27 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
+   length = alloc-1;
+   while(length--) {
+     in = *string;
+-    if(!(in >= 'a' && in <= 'z') &&
+-       !(in >= 'A' && in <= 'Z') &&
+-       !(in >= '0' && in <= '9')) {
++
++    /* Portable character check (remember EBCDIC). Do not use isalnum() because
++       its behavior is altered by the current locale. */
++
++    switch (in) {
++    case '0': case '1': case '2': case '3': case '4':
++    case '5': case '6': case '7': case '8': case '9':
++    case 'a': case 'b': case 'c': case 'd': case 'e':
++    case 'f': case 'g': case 'h': case 'i': case 'j':
++    case 'k': case 'l': case 'm': case 'n': case 'o':
++    case 'p': case 'q': case 'r': case 's': case 't':
++    case 'u': case 'v': case 'w': case 'x': case 'y': case 'z':
++    case 'A': case 'B': case 'C': case 'D': case 'E':
++    case 'F': case 'G': case 'H': case 'I': case 'J':
++    case 'K': case 'L': case 'M': case 'N': case 'O':
++    case 'P': case 'Q': case 'R': case 'S': case 'T':
++    case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z':
++      /* just copy this */
++      ns[strindex++]=in;
++      break;
++    default:
+       /* encode it */
+       newlen += 2; /* the size grows with two, since this'll become a %XX */
+       if(newlen > alloc) {
+@@ -105,10 +123,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
+       snprintf(&ns[strindex], 4, "%%%02X", in);
+ 
+       strindex+=3;
+-    }
+-    else {
+-      /* just copy this */
+-      ns[strindex++]=in;
++      break;
+     }
+     string++;
+   }
+-- 
+1.7.1
+
+
+From e2a98feff68c5ccc7c5de901f460860fc1b7ca95 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Tue, 9 Sep 2008 21:15:50 +0000
+Subject: [PATCH 2/4] Factored out Curl_isalnum
+
+[upstream commit c98ab69cc7aae688db604bbaad5bcc8d3fe25cba]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/escape.c |   47 +++++++++++++++++++++++++++--------------------
+ 1 files changed, 27 insertions(+), 20 deletions(-)
+
+diff --git a/lib/escape.c b/lib/escape.c
+index e0e696a..868d56a 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -42,6 +42,30 @@
+ /* The last #include file should be: */
+ #include "memdebug.h"
+ 
++/* Portable character check (remember EBCDIC). Do not use isalnum() because
++its behavior is altered by the current locale. */
++static bool Curl_isalnum(unsigned char in)
++{
++  switch (in) {
++    case '0': case '1': case '2': case '3': case '4':
++    case '5': case '6': case '7': case '8': case '9':
++    case 'a': case 'b': case 'c': case 'd': case 'e':
++    case 'f': case 'g': case 'h': case 'i': case 'j':
++    case 'k': case 'l': case 'm': case 'n': case 'o':
++    case 'p': case 'q': case 'r': case 's': case 't':
++    case 'u': case 'v': case 'w': case 'x': case 'y': case 'z':
++    case 'A': case 'B': case 'C': case 'D': case 'E':
++    case 'F': case 'G': case 'H': case 'I': case 'J':
++    case 'K': case 'L': case 'M': case 'N': case 'O':
++    case 'P': case 'Q': case 'R': case 'S': case 'T':
++    case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z':
++      return TRUE;
++    default:
++      break;
++  }
++  return FALSE;
++}
++
+ /* for ABI-compatibility with previous versions */
+ char *curl_escape(const char *string, int inlength)
+ {
+@@ -76,26 +100,10 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
+   while(length--) {
+     in = *string;
+ 
+-    /* Portable character check (remember EBCDIC). Do not use isalnum() because
+-       its behavior is altered by the current locale. */
+-
+-    switch (in) {
+-    case '0': case '1': case '2': case '3': case '4':
+-    case '5': case '6': case '7': case '8': case '9':
+-    case 'a': case 'b': case 'c': case 'd': case 'e':
+-    case 'f': case 'g': case 'h': case 'i': case 'j':
+-    case 'k': case 'l': case 'm': case 'n': case 'o':
+-    case 'p': case 'q': case 'r': case 's': case 't':
+-    case 'u': case 'v': case 'w': case 'x': case 'y': case 'z':
+-    case 'A': case 'B': case 'C': case 'D': case 'E':
+-    case 'F': case 'G': case 'H': case 'I': case 'J':
+-    case 'K': case 'L': case 'M': case 'N': case 'O':
+-    case 'P': case 'Q': case 'R': case 'S': case 'T':
+-    case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z':
++    if (Curl_isalnum(in)) {
+       /* just copy this */
+       ns[strindex++]=in;
+-      break;
+-    default:
++    } else {
+       /* encode it */
+       newlen += 2; /* the size grows with two, since this'll become a %XX */
+       if(newlen > alloc) {
+@@ -123,7 +131,6 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
+       snprintf(&ns[strindex], 4, "%%%02X", in);
+ 
+       strindex+=3;
+-      break;
+     }
+     string++;
+   }
+@@ -191,7 +198,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length,
+ }
+ 
+ /* For operating systems/environments that use different malloc/free
+-   ssystems for the app and for this library, we provide a free that uses
++   systems for the app and for this library, we provide a free that uses
+    the library's memory system */
+ void curl_free(void *p)
+ {
+-- 
+1.7.1
+
+
+From 97aff30c56bde0d8a07ed3eadad5fa6b6bfd07eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 28 Sep 2010 23:46:14 +0200
+Subject: [PATCH 3/4] curl_easy_escape: don't escape "unreserved" characters
+
+According to RFC3986 section 2.3 the letters -, ., _ and ~ should not be
+percent-encoded.
+
+Reported by: Miguel Diaz
+Bug: http://curl.haxx.se/mail/lib-2010-09/0227.html
+
+[upstream commit 5df13c31735fa089d5344fde13b66ace1ea473d1]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/escape.c      |    9 ++++++---
+ tests/data/test58 |    2 +-
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/escape.c b/lib/escape.c
+index 868d56a..e759607 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -43,8 +43,10 @@
+ #include "memdebug.h"
+ 
+ /* Portable character check (remember EBCDIC). Do not use isalnum() because
+-its behavior is altered by the current locale. */
+-static bool Curl_isalnum(unsigned char in)
++   its behavior is altered by the current locale.
++   See http://tools.ietf.org/html/rfc3986#section-2.3
++*/
++static bool Curl_isunreserved(unsigned char in)
+ {
+   switch (in) {
+     case '0': case '1': case '2': case '3': case '4':
+@@ -59,6 +61,7 @@ static bool Curl_isalnum(unsigned char in)
+     case 'K': case 'L': case 'M': case 'N': case 'O':
+     case 'P': case 'Q': case 'R': case 'S': case 'T':
+     case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z':
++    case '-': case '.': case '_': case '~':
+       return TRUE;
+     default:
+       break;
+@@ -100,7 +103,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
+   while(length--) {
+     in = *string;
+ 
+-    if (Curl_isalnum(in)) {
++    if (Curl_isunreserved(in)) {
+       /* just copy this */
+       ns[strindex++]=in;
+     } else {
+diff --git a/tests/data/test58 b/tests/data/test58
+index 32d7731..7b85b0b 100644
+--- a/tests/data/test58
++++ b/tests/data/test58
+@@ -38,7 +38,7 @@ a few bytes
+ ^User-Agent:.*
+ </strip>
+ <protocol>
+-PUT /we/want/58te%5B%5Dst%2Etxt HTTP/1.1

++PUT /we/want/58te%5B%5Dst.txt HTTP/1.1

+ Host: 127.0.0.1:%HTTPPORT

+ Accept: */*

+ Content-Length: 12

+-- 
+1.7.1
+
+
+From a2ea27383a6028604540ce6f2e2f6bbc34bd7d5e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 19 May 2013 23:24:29 +0200
+Subject: [PATCH 4/4] Curl_urldecode: no peaking beyond end of input buffer
+
+Security problem: CVE-2013-2174
+
+If a program would give a string like "%" to curl_easy_unescape(), it
+would still consider the % as start of an encoded character. The
+function then not only read beyond the buffer but it would also deduct
+the *unsigned* counter variable for how many more bytes there's left to
+read in the buffer by two, making the counter wrap. Continuing this, the
+function would go on reading beyond the buffer and soon writing beyond
+the allocated target buffer...
+
+Reported-by: Timo Sirainen
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/escape.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/escape.c b/lib/escape.c
+index e759607..c891a22 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -163,7 +163,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length,
+ 
+   while(--alloc > 0) {
+     in = *string;
+-    if(('%' == in) && ishex(string[1]) && ishex(string[2])) {
++    if(('%' == in) && (alloc > 2) && ishex(string[1]) && ishex(string[2])) {
+       /* this is two hexadecimal digits following a '%' */
+       char hexstr[3];
+       char *ptr;
+-- 
+1.7.1
+