diff options
Diffstat (limited to 'harmony/curl')
-rw-r--r-- | harmony/curl/APKBUILD | 93 | ||||
-rw-r--r-- | harmony/curl/curl-do-bounds-check-using-a-double-comparison.patch | 32 |
2 files changed, 125 insertions, 0 deletions
diff --git a/harmony/curl/APKBUILD b/harmony/curl/APKBUILD new file mode 100644 index 000000000..fd20e55dd --- /dev/null +++ b/harmony/curl/APKBUILD @@ -0,0 +1,93 @@ +# Contributor: Sergei Lukin <sergej.lukin@gmail.com> +# Contributor: Valery Kartel <valery.kartel@gmail.com> +# Contributor: Łukasz Jendrysik <scadu@yandex.com> +# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +pkgname=curl +pkgver=7.56.1 +pkgrel=0 +pkgdesc="An URL retrival utility and library" +url="http://curl.haxx.se" +arch="all" +license="MIT" +depends="ca-certificates" +makedepends_build="groff perl" +makedepends_host="zlib-dev openssl-dev libssh2-dev" +makedepends="$makedepends_build $makedepends_host" +source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2 + " +subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl" + +# secfixes: +# 7.56.1-r0: +# - CVE-2017-1000257 +# 7.55.0-r0: +# - CVE-2017-1000099 +# - CVE-2017-1000100 +# - CVE-2017-1000101 +# 7.54.0-r0: +# - CVE-2017-7468 +# 7.53.1-r2: +# - CVE-2017-7407 +# 7.53.0: +# - CVE-2017-2629 +# 7.52.1: +# - CVE-2016-9594 +# 7.51.0: +# - CVE-2016-8615 +# - CVE-2016-8616 +# - CVE-2016-8617 +# - CVE-2016-8618 +# - CVE-2016-8619 +# - CVE-2016-8620 +# - CVE-2016-8621 +# - CVE-2016-8622 +# - CVE-2016-8623 +# - CVE-2016-8624 +# - CVE-2016-8625 +# 7.50.3: +# - CVE-2016-7167 +# 7.50.2: +# - CVE-2016-7141 +# 7.50.1: +# - CVE-2016-5419 +# - CVE-2016-5420 +# - CVE-2016-5421 +# 7.36.0: +# - CVE-2014-0138 +# - CVE-2014-0139 + +builddir="$srcdir/$pkgname-$pkgver" + +build() { + cd "$builddir" + ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --enable-ipv6 \ + --enable-unix-sockets \ + --without-libidn \ + --without-libidn2 \ + --disable-ldap \ + --with-pic \ + || return 1 + make || return 1 +} + +check() { + cd "$builddir" + make check +} + +package() { + make DESTDIR="$pkgdir" \ + -C "$builddir" install || return 1 +} + +libcurl() { + pkgdesc="The multiprotocol file transfer library" + mkdir -p "$subpkgdir"/usr + mv "$pkgdir"/usr/lib "$subpkgdir"/usr +} + +sha512sums="f8a602e6890b2791ea9199c80801ffd027980de3733d4ab001ee80b5167f840cc821c6fe7852087c88a471edc9d3f328cf660af3e2c6f7139d6c8de62b0ade68 curl-7.56.1.tar.bz2" diff --git a/harmony/curl/curl-do-bounds-check-using-a-double-comparison.patch b/harmony/curl/curl-do-bounds-check-using-a-double-comparison.patch new file mode 100644 index 000000000..34e2b6c71 --- /dev/null +++ b/harmony/curl/curl-do-bounds-check-using-a-double-comparison.patch @@ -0,0 +1,32 @@ +From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001 +From: Adam Sampson <ats@offog.org> +Date: Wed, 9 Aug 2017 14:11:17 +0100 +Subject: [PATCH] curl: do bounds check using a double comparison + +The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't +complete: if the parsed number in num is larger than will fit in a long, +the conversion is undefined behaviour (causing test1427 to fail for me +on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting +rid of the cast means the comparison will be done using doubles. + +It might make more sense for the max argument to also be a double... + +Fixes #1750 +Closes #1749 +--- + src/tool_paramhlp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c +index b9dedc989e..85c5e79a7e 100644 +--- a/src/tool_paramhlp.c ++++ b/src/tool_paramhlp.c +@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max) + num = strtod(str, &endptr); + if(errno == ERANGE) + return PARAM_NUMBER_TOO_LARGE; +- if((long)num > max) { ++ if(num > max) { + /* too large */ + return PARAM_NUMBER_TOO_LARGE; + } |