diff options
author | Max Rees <maxcrees@me.com> | 2019-09-12 02:15:41 -0500 |
---|---|---|
committer | Max Rees <maxcrees@me.com> | 2019-09-17 14:34:12 -0500 |
commit | f446d9b9ff1db370d47e068d2a074f2b0830f02d (patch) | |
tree | 950776a9cc02452a8f371dd79d6b15f9e3c7e234 | |
parent | c1f0e5323ce8e2c68c22e2370311d6043861c4af (diff) | |
download | packages-f446d9b9ff1db370d47e068d2a074f2b0830f02d.tar.gz packages-f446d9b9ff1db370d47e068d2a074f2b0830f02d.tar.bz2 packages-f446d9b9ff1db370d47e068d2a074f2b0830f02d.tar.xz packages-f446d9b9ff1db370d47e068d2a074f2b0830f02d.zip |
system/curl: [CVE] bump to 7.66.0, fix network access violation
-rw-r--r-- | system/curl/APKBUILD | 11 | ||||
-rw-r--r-- | system/curl/curl-do-bounds-check-using-a-double-comparison.patch | 32 |
2 files changed, 8 insertions, 35 deletions
diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD index aa6e4c9e7..2cba28dfc 100644 --- a/system/curl/APKBUILD +++ b/system/curl/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: pkgname=curl -pkgver=7.65.3 +pkgver=7.66.0 pkgrel=0 pkgdesc="An URL retrival utility and library" url="https://curl.haxx.se" @@ -17,6 +17,9 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz" subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl" # secfixes: +# 7.66.0-r0: +# - CVE-2019-5481 +# - CVE-2019-5482 # 7.65.1-r0: # - CVE-2019-5435 # - CVE-2019-5436 @@ -91,7 +94,9 @@ build() { } check() { - make check + # -p: print log contents on test failure + # !1592: requires DNS access + make check TFLAGS='-p !1592' } package() { @@ -104,4 +109,4 @@ libcurl() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr } -sha512sums="fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b curl-7.65.3.tar.xz" +sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz" diff --git a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch deleted file mode 100644 index 34e2b6c71..000000000 --- a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001 -From: Adam Sampson <ats@offog.org> -Date: Wed, 9 Aug 2017 14:11:17 +0100 -Subject: [PATCH] curl: do bounds check using a double comparison - -The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't -complete: if the parsed number in num is larger than will fit in a long, -the conversion is undefined behaviour (causing test1427 to fail for me -on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting -rid of the cast means the comparison will be done using doubles. - -It might make more sense for the max argument to also be a double... - -Fixes #1750 -Closes #1749 ---- - src/tool_paramhlp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c -index b9dedc989e..85c5e79a7e 100644 ---- a/src/tool_paramhlp.c -+++ b/src/tool_paramhlp.c -@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max) - num = strtod(str, &endptr); - if(errno == ERANGE) - return PARAM_NUMBER_TOO_LARGE; -- if((long)num > max) { -+ if(num > max) { - /* too large */ - return PARAM_NUMBER_TOO_LARGE; - } |