CVE-2020-8177: curl overwrite local file with -J.
CVE-2020-8169: Partial password leak over DNS on HTTP redirect.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Package optional or choice config symbols are usually prefixed with the
package config symbol name. Rename BR2_PACKAGE_CURL to
BR2_PACKAGE_LIBCURL_CURL to conform.
Update references to the old name.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Notice that 7.68.0 includes a Windows-only security fix:
- CVE-2019-15601: SMB access smuggling via FILE URL on Windows
https://curl.haxx.se/docs/CVE-2019-15601.html
So not applicable to Buildroot.
Update the license hash for a copyright year update:
-Copyright (c) 1996 - 2019, Daniel Stenberg, <daniel@haxx.se>, and many
+Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libcurl recipe allows selecting between various TLS backends. Users can
already select between several options but WolfSSL was missing. WolfSSL
is an efficient TLS library, it supports TLS 1.3 and is used in many
embedded systems.
Add WolfSSL to libcurl "SSL/TLS library to use" choice list when WolfSSL
package is enabled. When selected in the list, use libcurl
--with-wolfssl configure option. Explicitly set --without-wolfssl
when it is not selected.
Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Libcurl is more than 250 KiB (libcurl) / 100 KiB (curl binary) in size.
About 50 KiB / 15 KiB of this can be saved by disabling features/protocols
that are not commonly needed:
- proxy support: 15 KiB
- cookies support: 10 KiB
- various less common protocols: 25 KiB (libcurl) + 15 KiB (curl binary)
Note that the exact amount of space saved depends on the architecture,
toolchain, and other factors.
Other packages that are selecting libcurl might require protocols from the
'extra' set. But, there is no clear way to find out which packages are in
this situation, in particular because issues may only be visible at runtime.
Note: remove the text 'enable' on the option for 'verbose strings' as that
is more common in Buildroot.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Peter: unconditionally remove the libcurl-option to generate C code]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When not using OpenSSL, the correct option to configure is --without-ssl
with two dashes.
Fixes: b8b78e7e6a ("libcurl: Allow selection of TLS package libcurl will use")
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
libcurl doesn't find any trust path for CA certs when it cross-compiles.
When using OpenSSL, it is explicitly configured to use the SSL cert
directory with OpenSSL style hash files in it. But with GnuTLS, it gets
nothing.
Rather than configure libcurl to use the OpenSSL directory or a bundle
file, configure it to use the GnuTLS default. This way the CA certs
path can be configured in one place (gnutls) and then libcurl and anyone
else who uses gnutls can default to that.
Also, when libcurl with gnutls is configured to use a directory, it ends
up loading each cert three times.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove the --without-* options from the yes side of the TLS libraries
selection checks.
Since the --without-* option is now specified when the corresponding TLS
library is not being used, it's no longer necessary when enabling a TLS
library to explicity list all the other TLS libs that curl should not
use.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Instead of defaulting to OpenSSL, allow selection of package to use
through a choice in libcurl's config. The default will be to select the
first enabled TLS provider in the same preference order as is used now,
i.e. no change from current behavior.
Some of the alternative libraries have advantages over OpenSSL in
certain areas.
For example, gnutls has vastly superior PKCS11 support. One can use
client TLS private keys by supplying a PKCS11 URI instead of a private
key file name. The TLS server cert trust store can be a PKCS11 URI,
e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust".
Now server certs can be stored in a software and/or hardware HSM(s).
This doesn't work with OpenSSL.
However, some software only supports OpenSSL for TLS or other crypto
functions. So it might be necessary to enable OpenSSL for that reason.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
[Peter: add BR2_PACKAGE_LIBCURL_TLS_SUPPORT and use it to hide choice &
comment, explitly pass --without-foo if option is not enabled,
only do .pc fixup if BR2_PACKAGE_LIBCURL_OPENSSL is enabled]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The nghttp2 package has recently been added to buildroot. When
enabled, this adds support for HTTP2 to libcurl.
By default, libcurl configure script will enable HTTP2 if the library
is found using pkg-config. Adding this option makes the build
consistent.
Signed-off-by: Michaël Burtin <michael.burtin@netgem.com>
Signed-off-by: Anisse Astier <anisse.astier.ext@netgem.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2018-0500: curl might overflow a heap based memory buffer when
sending data over SMTP and using a reduced read buffer.
Drop upstream patch.
Add reference to tarball signature key.
Drop CRYPTO_lock seed. Removed from configure script since 7.45.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The ssh2 pkg-config file could contain the following lines when build
with a static version of mbedtls:
Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a
Libs.private: /xxx/libmbedcrypto.a
This static mbedtls library must be used to correctly detect ssh2
support and this library must be copied in libcurl.pc otherwise
compilation of any application (such as upmpdcli) with libcurl will fail
when trying to find mbedtls functions included in libssh2.
So, replace pkg-config --libs-only-l by pkg-config --libs.
Fixes:
- http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop upstream patch.
This release fixes the security issues listed below.
CVE-2018-1000300: curl might overflow a heap based memory buffer when
closing down an FTP connection with very long server command replies.
https://curl.haxx.se/docs/adv_2018-82c2.html
CVE-2018-1000301: curl can be tricked into reading data beyond the end
of a heap based buffer used to store downloaded content.
https://curl.haxx.se/docs/adv_2018-b138.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.
https://curl.haxx.se/docs/adv_2018-9cd6.html
CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.
https://curl.haxx.se/docs/adv_2018-97a2.html
CVE-2018-1000122: When asked to transfer an RTSP URL, curl could
calculate a wrong data length to copy from the read buffer.
https://curl.haxx.se/docs/adv_2018-b047.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access
For more details, see the changelog:
https://curl.haxx.se/changes.html#7_57_0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
tftp: reject file name lengths that don't fit (CVE-2017-1000100)
file: output the correct buffer to the user (CVE-2017-1000099)
Switch to .tar.xz to save bandwidth.
Add reference to tarball signature.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes CVE-2017-2629 - curl SSL_VERIFYSTATUS ignored
>From the advisory (http://www.openwall.com/lists/oss-security/2017/02/21/6):
Curl and libcurl support "OCSP stapling", also known as the TLS Certificate
Status Request extension (using the `CURLOPT_SSL_VERIFYSTATUS` option). When
telling curl to use this feature, it uses that TLS extension to ask for a
fresh proof of the server's certificate's validity. If the server doesn't
support the extension, or fails to provide said proof, curl is expected to
return an error.
Due to a coding mistake, the code that checks for a test success or failure,
ends up always thinking there's valid proof, even when there is none or if the
server doesn't support the TLS extension in question. Contrary to how it used
to function and contrary to how this feature is documented to work.
This could lead to users not detecting when a server's certificate goes
invalid or otherwise be mislead that the server is in a better shape than it
is in reality.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2016-9594 - Unitilized random
Libcurl's (new) internal function that returns a good 32bit random value was
implemented poorly and overwrote the pointer instead of writing the value
into the buffer the pointer pointed to.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
