[oe-commits] [openembedded-core] 03/03: curl: security fix for CVE-2016-5421
git at git.openembedded.org
git at git.openembedded.org
Fri Sep 2 07:48:58 UTC 2016
rpurdie pushed a commit to branch jethro
in repository openembedded-core.
commit f6999fa952c7db980cfc97f6e5a971e4f34cc0a3
Author: Maxin B. John <maxin.john at intel.com>
AuthorDate: Mon Aug 22 11:39:33 2016 +0300
curl: security fix for CVE-2016-5421
Affected versions: libcurl 7.32.0 to and including 7.50.0
Signed-off-by: Maxin B. John <maxin.john at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
meta/recipes-support/curl/curl/CVE-2016-5421.patch | 36 ++++++++++++++++++++++
meta/recipes-support/curl/curl_7.44.0.bb | 1 +
2 files changed, 37 insertions(+)
diff --git a/meta/recipes-support/curl/curl/CVE-2016-5421.patch b/meta/recipes-support/curl/curl/CVE-2016-5421.patch
new file mode 100644
index 0000000..862da75
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-5421.patch
@@ -0,0 +1,36 @@
+From 75dc096e01ef1e21b6c57690d99371dedb2c0b80 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Sun, 31 Jul 2016 01:09:04 +0200
+Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://curl.haxx.se/docs/adv_20160803C.html
+Reported-by: Marcelo Echeverria and Fernando Muñoz
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-5421.patch
+
+CVE: CVE-2016-5421
+Signed-off-by: Maxin B. John <maxin.john at intel.com>
+---
+ lib/multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 9ee3523..8bb9366 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2157,6 +2157,8 @@ static void close_all_connections(struct Curl_multi *multi)
+ conn->data = multi->closure_handle;
+
+ sigpipe_ignore(conn->data, &pipe_st);
++ conn->data->easy_conn = NULL; /* clear the easy handle's connection
++ pointer */
+ /* This will remove the connection from the cache */
+ (void)Curl_disconnect(conn, FALSE);
+ sigpipe_restore(&pipe_st);
+--
+2.4.0
+
diff --git a/meta/recipes-support/curl/curl_7.44.0.bb b/meta/recipes-support/curl/curl_7.44.0.bb
index 917bd27..dfb7142 100644
--- a/meta/recipes-support/curl/curl_7.44.0.bb
+++ b/meta/recipes-support/curl/curl_7.44.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
# from mucking around with debug options
#
SRC_URI += " file://configure_ac.patch \
+ file://CVE-2016-5421.patch \
file://CVE-2016-5420.patch \
file://CVE-2016-5419.patch \
file://CVE-2016-0754.patch \
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list