From fd2bb2f751c13b3c0c002b8e012810902b9da364 Mon Sep 17 00:00:00 2001
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
Date: Fri, 8 Jun 2018 02:02:24 -0500
Subject: harmony -> system

---
 system/curl/APKBUILD                               | 93 ++++++++++++++++++++++
 ...do-bounds-check-using-a-double-comparison.patch | 32 ++++++++
 2 files changed, 125 insertions(+)
 create mode 100644 system/curl/APKBUILD
 create mode 100644 system/curl/curl-do-bounds-check-using-a-double-comparison.patch

(limited to 'system/curl')

diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD
new file mode 100644
index 000000000..fd20e55dd
--- /dev/null
+++ b/system/curl/APKBUILD
@@ -0,0 +1,93 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
+# Contributor: Valery Kartel <valery.kartel@gmail.com>
+# Contributor: Łukasz Jendrysik <scadu@yandex.com>
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=curl
+pkgver=7.56.1
+pkgrel=0
+pkgdesc="An URL retrival utility and library"
+url="http://curl.haxx.se"
+arch="all"
+license="MIT"
+depends="ca-certificates"
+makedepends_build="groff perl"
+makedepends_host="zlib-dev openssl-dev libssh2-dev"
+makedepends="$makedepends_build $makedepends_host"
+source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2
+	"
+subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"
+
+# secfixes:
+#   7.56.1-r0:
+#     - CVE-2017-1000257
+#   7.55.0-r0:
+#     - CVE-2017-1000099
+#     - CVE-2017-1000100
+#     - CVE-2017-1000101
+#   7.54.0-r0:
+#     - CVE-2017-7468
+#   7.53.1-r2:
+#     - CVE-2017-7407
+#   7.53.0:
+#     - CVE-2017-2629
+#   7.52.1:
+#     - CVE-2016-9594
+#   7.51.0:
+#     - CVE-2016-8615
+#     - CVE-2016-8616
+#     - CVE-2016-8617
+#     - CVE-2016-8618
+#     - CVE-2016-8619
+#     - CVE-2016-8620
+#     - CVE-2016-8621
+#     - CVE-2016-8622
+#     - CVE-2016-8623
+#     - CVE-2016-8624
+#     - CVE-2016-8625
+#   7.50.3:
+#     - CVE-2016-7167
+#   7.50.2:
+#     - CVE-2016-7141
+#   7.50.1:
+#     - CVE-2016-5419
+#     - CVE-2016-5420
+#     - CVE-2016-5421
+#   7.36.0:
+#     - CVE-2014-0138
+#     - CVE-2014-0139
+
+builddir="$srcdir/$pkgname-$pkgver"
+
+build() {
+	cd "$builddir"
+	./configure \
+		--build=$CBUILD \
+		--host=$CHOST \
+		--prefix=/usr \
+		--enable-ipv6 \
+		--enable-unix-sockets \
+		--without-libidn \
+		--without-libidn2 \
+		--disable-ldap \
+		--with-pic \
+		|| return 1
+	make || return 1
+}
+
+check() {
+	cd "$builddir"
+	make check
+}
+
+package() {
+	make DESTDIR="$pkgdir" \
+		-C "$builddir" install || return 1
+}
+
+libcurl() {
+	pkgdesc="The multiprotocol file transfer library"
+	mkdir -p "$subpkgdir"/usr
+	mv "$pkgdir"/usr/lib "$subpkgdir"/usr
+}
+
+sha512sums="f8a602e6890b2791ea9199c80801ffd027980de3733d4ab001ee80b5167f840cc821c6fe7852087c88a471edc9d3f328cf660af3e2c6f7139d6c8de62b0ade68  curl-7.56.1.tar.bz2"
diff --git a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
new file mode 100644
index 000000000..34e2b6c71
--- /dev/null
+++ b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
@@ -0,0 +1,32 @@
+From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001
+From: Adam Sampson <ats@offog.org>
+Date: Wed, 9 Aug 2017 14:11:17 +0100
+Subject: [PATCH] curl: do bounds check using a double comparison
+
+The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+complete: if the parsed number in num is larger than will fit in a long,
+the conversion is undefined behaviour (causing test1427 to fail for me
+on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7).  Getting
+rid of the cast means the comparison will be done using doubles.
+
+It might make more sense for the max argument to also be a double...
+
+Fixes #1750
+Closes #1749
+---
+ src/tool_paramhlp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
+index b9dedc989e..85c5e79a7e 100644
+--- a/src/tool_paramhlp.c
++++ b/src/tool_paramhlp.c
+@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max)
+     num = strtod(str, &endptr);
+     if(errno == ERANGE)
+       return PARAM_NUMBER_TOO_LARGE;
+-    if((long)num > max) {
++    if(num > max) {
+       /* too large */
+       return PARAM_NUMBER_TOO_LARGE;
+     }
-- 
cgit v1.2.3-60-g2f50