summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2019-09-12 02:15:41 -0500
committerMax Rees <maxcrees@me.com>2019-09-17 14:34:12 -0500
commitf446d9b9ff1db370d47e068d2a074f2b0830f02d (patch)
tree950776a9cc02452a8f371dd79d6b15f9e3c7e234
parentc1f0e5323ce8e2c68c22e2370311d6043861c4af (diff)
downloadpackages-f446d9b9ff1db370d47e068d2a074f2b0830f02d.tar.gz
packages-f446d9b9ff1db370d47e068d2a074f2b0830f02d.tar.bz2
packages-f446d9b9ff1db370d47e068d2a074f2b0830f02d.tar.xz
packages-f446d9b9ff1db370d47e068d2a074f2b0830f02d.zip
system/curl: [CVE] bump to 7.66.0, fix network access violation
-rw-r--r--system/curl/APKBUILD11
-rw-r--r--system/curl/curl-do-bounds-check-using-a-double-comparison.patch32
2 files changed, 8 insertions, 35 deletions
diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD
index aa6e4c9e7..2cba28dfc 100644
--- a/system/curl/APKBUILD
+++ b/system/curl/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer:
pkgname=curl
-pkgver=7.65.3
+pkgver=7.66.0
pkgrel=0
pkgdesc="An URL retrival utility and library"
url="https://curl.haxx.se"
@@ -17,6 +17,9 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"
# secfixes:
+# 7.66.0-r0:
+# - CVE-2019-5481
+# - CVE-2019-5482
# 7.65.1-r0:
# - CVE-2019-5435
# - CVE-2019-5436
@@ -91,7 +94,9 @@ build() {
}
check() {
- make check
+ # -p: print log contents on test failure
+ # !1592: requires DNS access
+ make check TFLAGS='-p !1592'
}
package() {
@@ -104,4 +109,4 @@ libcurl() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}
-sha512sums="fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b curl-7.65.3.tar.xz"
+sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz"
diff --git a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
deleted file mode 100644
index 34e2b6c71..000000000
--- a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001
-From: Adam Sampson <ats@offog.org>
-Date: Wed, 9 Aug 2017 14:11:17 +0100
-Subject: [PATCH] curl: do bounds check using a double comparison
-
-The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
-complete: if the parsed number in num is larger than will fit in a long,
-the conversion is undefined behaviour (causing test1427 to fail for me
-on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
-rid of the cast means the comparison will be done using doubles.
-
-It might make more sense for the max argument to also be a double...
-
-Fixes #1750
-Closes #1749
----
- src/tool_paramhlp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
-index b9dedc989e..85c5e79a7e 100644
---- a/src/tool_paramhlp.c
-+++ b/src/tool_paramhlp.c
-@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max)
- num = strtod(str, &endptr);
- if(errno == ERANGE)
- return PARAM_NUMBER_TOO_LARGE;
-- if((long)num > max) {
-+ if(num > max) {
- /* too large */
- return PARAM_NUMBER_TOO_LARGE;
- }