libcurl doesn't find any trust path for CA certs when it cross-compiles.
When using OpenSSL, it is explicitly configured to use the SSL cert
directory with OpenSSL style hash files in it. But with GnuTLS, it gets
nothing.
Rather than configure libcurl to use the OpenSSL directory or a bundle
file, configure it to use the GnuTLS default. This way the CA certs
path can be configured in one place (gnutls) and then libcurl and anyone
else who uses gnutls can default to that.
Also, when libcurl with gnutls is configured to use a directory, it ends
up loading each cert three times.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 43b4d3ae45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-0500: curl might overflow a heap based memory buffer when
sending data over SMTP and using a reduced read buffer.
Drop upstream patch.
Add reference to tarball signature key.
Drop CRYPTO_lock seed. Removed from configure script since 7.45.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bf79731153)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The ssh2 pkg-config file could contain the following lines when build
with a static version of mbedtls:
Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a
Libs.private: /xxx/libmbedcrypto.a
This static mbedtls library must be used to correctly detect ssh2
support and this library must be copied in libcurl.pc otherwise
compilation of any application (such as upmpdcli) with libcurl will fail
when trying to find mbedtls functions included in libssh2.
So, replace pkg-config --libs-only-l by pkg-config --libs.
Fixes:
- http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 624603328a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access
For more details, see the changelog:
https://curl.haxx.se/changes.html#7_57_0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the bump to 7.55.0, libcurl fails to build on a number of
uncommon architectures (ARC, OpenRISC, etc.). This is due to upstream
commit 73a2fcea0b4adea6ba342cd7ed1149782c214ae3 ("includes: remove
curl/curlbuild.h and curl/curlrules.h"), which makes libcurl rely on
more architecture-specific related defines in include/curl/system.h.
This commit therefore adds a patch that fixes the 32-bit vs. 64-bit
detection for all architecture, using gcc's __SIZEOF_LONG__
definition. It has been tested successfully with test-pkg on all 47
toolchain configurations.
Fixes:
http://autobuild.buildroot.net/results/bf26c08cf3267214278674472f931603f69951ae/
(and many similar issues)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
tftp: reject file name lengths that don't fit (CVE-2017-1000100)
file: output the correct buffer to the user (CVE-2017-1000099)
Switch to .tar.xz to save bandwidth.
Add reference to tarball signature.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The check-package script when ran gives warnings on text wrapping
on all of these Config files. This patch cleans up all warnings
related to the text wrapping for the Config files starting with
lib in the package directory.
The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2017-2629 - curl SSL_VERIFYSTATUS ignored
>From the advisory (http://www.openwall.com/lists/oss-security/2017/02/21/6):
Curl and libcurl support "OCSP stapling", also known as the TLS Certificate
Status Request extension (using the `CURLOPT_SSL_VERIFYSTATUS` option). When
telling curl to use this feature, it uses that TLS extension to ask for a
fresh proof of the server's certificate's validity. If the server doesn't
support the extension, or fails to provide said proof, curl is expected to
return an error.
Due to a coding mistake, the code that checks for a test success or failure,
ends up always thinking there's valid proof, even when there is none or if the
server doesn't support the TLS extension in question. Contrary to how it used
to function and contrary to how this feature is documented to work.
This could lead to users not detecting when a server's certificate goes
invalid or otherwise be mislead that the server is in a better shape than it
is in reality.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2016-9594 - Unitilized random
Libcurl's (new) internal function that returns a good 32bit random value was
implemented poorly and overwrote the pointer instead of writing the value
into the buffer the pointer pointed to.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
List of fixed CVEs:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Full ChangeLog:
https://curl.haxx.se/changes.html#7_51_0
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that we've got an mbedtls package in the tree we can enable the
optional support for it in libcurl.
We also remove the comment about polarssl support needing version
1.3.x. Indeed, polarssl was renamed to mbedtls when bought by ARM,
which was circa the 1.3.x polarssl release. Due to this referring to
polarssl 1.3.x doesn't make a lot of sense, and we'll probably never
package polarssl 1.3.x in Buildroot now that mbedtls replaces it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Luca Ceresoli <luca@lucaceresoli.net>
[Thomas: slightly improve commit log as suggested by Luca, using
explanations from Gustavo.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes
CVE-2016-0754: remote file name path traversal in curl tool for Windows
CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To build libcurl, we need to override LD_LIBRARY and force it to a sane
value, otherwise libcurl is confused when target == host (see a51ce319,
libcurl: fix configure with openssl when target == host).
That is currently OK, since we always set LD_LIBRARY_PATH to a non-empty
value.
However, we're soon to stop setting it at all.
So, if the user has an empty (or no) LD_LIBRARY_PATH in his envirnment,
we'd end up adding the current working directory to LD_LIBRARY_PATH (as
an empty entry in a colon-separated list is most probably interpreted as
meaning the current working directory, which we do know can cause issue,
and which we expressely check against in support/dependencies/dependencies.sh
Fix that by only using an existing LD_LIBRARY_PATH if it is not empty.
Also use a Makefile construct as it is easier to read than a shell one
(we can do that, as all variables from the environment are available as
make variables).
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <jacmet@uclibc.org>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default libcurl uses the C library's DNS resolver which is
synchronous, even if an application is using libcurl's non-blocking mode
of operation.
Configure libcurl to use c-ares if it is selected so that it can resolve
addresses asynchronously if required.
[Peter: explicitly disable c-ares support if not enabled]
Signed-off-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2013-3153 - sensitive HTTP server headers also sent to proxies.
And drop upstream patches.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
curldebug is a more advanced form of debugging for curl which audits
source code with the checksource.pl tool, and treats warnings as errors.
Normally users won't want/need this so disable it since it leads to
failed builds when debug info is enabled (which is what people normally
want).
When buildroot does --enable-debug curl inherently enables curldebug too.
Solves bug #8041.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-3144 - host name out of boundary memory access
CVE-2015-3145 - cookie parser out of boundary memory access
CVE-2015-3148 - Negotiate not treated as connection-oriented
CVE-2015-3143 - Re-using authenticated connection when unauthenticated
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
