summaryrefslogtreecommitdiff
path: root/system/curl
diff options
context:
space:
mode:
Diffstat (limited to 'system/curl')
-rw-r--r--system/curl/APKBUILD93
-rw-r--r--system/curl/curl-do-bounds-check-using-a-double-comparison.patch32
2 files changed, 125 insertions, 0 deletions
diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD
new file mode 100644
index 000000000..fd20e55dd
--- /dev/null
+++ b/system/curl/APKBUILD
@@ -0,0 +1,93 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
+# Contributor: Valery Kartel <valery.kartel@gmail.com>
+# Contributor: Łukasz Jendrysik <scadu@yandex.com>
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=curl
+pkgver=7.56.1
+pkgrel=0
+pkgdesc="An URL retrival utility and library"
+url="http://curl.haxx.se"
+arch="all"
+license="MIT"
+depends="ca-certificates"
+makedepends_build="groff perl"
+makedepends_host="zlib-dev openssl-dev libssh2-dev"
+makedepends="$makedepends_build $makedepends_host"
+source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2
+ "
+subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"
+
+# secfixes:
+# 7.56.1-r0:
+# - CVE-2017-1000257
+# 7.55.0-r0:
+# - CVE-2017-1000099
+# - CVE-2017-1000100
+# - CVE-2017-1000101
+# 7.54.0-r0:
+# - CVE-2017-7468
+# 7.53.1-r2:
+# - CVE-2017-7407
+# 7.53.0:
+# - CVE-2017-2629
+# 7.52.1:
+# - CVE-2016-9594
+# 7.51.0:
+# - CVE-2016-8615
+# - CVE-2016-8616
+# - CVE-2016-8617
+# - CVE-2016-8618
+# - CVE-2016-8619
+# - CVE-2016-8620
+# - CVE-2016-8621
+# - CVE-2016-8622
+# - CVE-2016-8623
+# - CVE-2016-8624
+# - CVE-2016-8625
+# 7.50.3:
+# - CVE-2016-7167
+# 7.50.2:
+# - CVE-2016-7141
+# 7.50.1:
+# - CVE-2016-5419
+# - CVE-2016-5420
+# - CVE-2016-5421
+# 7.36.0:
+# - CVE-2014-0138
+# - CVE-2014-0139
+
+builddir="$srcdir/$pkgname-$pkgver"
+
+build() {
+ cd "$builddir"
+ ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --enable-ipv6 \
+ --enable-unix-sockets \
+ --without-libidn \
+ --without-libidn2 \
+ --disable-ldap \
+ --with-pic \
+ || return 1
+ make || return 1
+}
+
+check() {
+ cd "$builddir"
+ make check
+}
+
+package() {
+ make DESTDIR="$pkgdir" \
+ -C "$builddir" install || return 1
+}
+
+libcurl() {
+ pkgdesc="The multiprotocol file transfer library"
+ mkdir -p "$subpkgdir"/usr
+ mv "$pkgdir"/usr/lib "$subpkgdir"/usr
+}
+
+sha512sums="f8a602e6890b2791ea9199c80801ffd027980de3733d4ab001ee80b5167f840cc821c6fe7852087c88a471edc9d3f328cf660af3e2c6f7139d6c8de62b0ade68 curl-7.56.1.tar.bz2"
diff --git a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
new file mode 100644
index 000000000..34e2b6c71
--- /dev/null
+++ b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
@@ -0,0 +1,32 @@
+From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001
+From: Adam Sampson <ats@offog.org>
+Date: Wed, 9 Aug 2017 14:11:17 +0100
+Subject: [PATCH] curl: do bounds check using a double comparison
+
+The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+complete: if the parsed number in num is larger than will fit in a long,
+the conversion is undefined behaviour (causing test1427 to fail for me
+on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
+rid of the cast means the comparison will be done using doubles.
+
+It might make more sense for the max argument to also be a double...
+
+Fixes #1750
+Closes #1749
+---
+ src/tool_paramhlp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
+index b9dedc989e..85c5e79a7e 100644
+--- a/src/tool_paramhlp.c
++++ b/src/tool_paramhlp.c
+@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max)
+ num = strtod(str, &endptr);
+ if(errno == ERANGE)
+ return PARAM_NUMBER_TOO_LARGE;
+- if((long)num > max) {
++ if(num > max) {
+ /* too large */
+ return PARAM_NUMBER_TOO_LARGE;
+ }