mirror of https://github.com/hak5/openwrt.git
curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignored
This fixes the following security problem: https://curl.haxx.se/docs/adv_20170222.html Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>lede-17.01
parent
c4ed92ae7d
commit
111cf1b9f3
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=curl
|
||||
PKG_VERSION:=7.52.1
|
||||
PKG_RELEASE:=2
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||
PKG_SOURCE_URL:=http://curl.haxx.se/download/ \
|
||||
|
|
|
@ -12,11 +12,9 @@ Bug: #1174
|
|||
lib/vtls/vtls.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||
index b808e1c..707f24b 100644
|
||||
--- a/lib/vtls/vtls.c
|
||||
+++ b/lib/vtls/vtls.c
|
||||
@@ -484,7 +484,7 @@ void Curl_ssl_close_all(struct Curl_easy *data)
|
||||
@@ -484,7 +484,7 @@ void Curl_ssl_close_all(struct Curl_easy
|
||||
curlssl_close_all(data);
|
||||
}
|
||||
|
||||
|
@ -25,7 +23,7 @@ index b808e1c..707f24b 100644
|
|||
defined(USE_DARWINSSL) || defined(USE_NSS)
|
||||
/* This function is for OpenSSL, GnuTLS, darwinssl, and schannel only. */
|
||||
int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks,
|
||||
@@ -518,7 +518,7 @@ int Curl_ssl_getsock(struct connectdata *conn,
|
||||
@@ -518,7 +518,7 @@ int Curl_ssl_getsock(struct connectdata
|
||||
(void)numsocks;
|
||||
return GETSOCK_BLANK;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sun, 22 Jan 2017 18:11:55 +0100
|
||||
Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again
|
||||
|
||||
The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
|
||||
and thus even if the status couldn't be verified, the connection would
|
||||
be allowed and the user would not be told about the failed verification.
|
||||
|
||||
Regression since cb4e2be7c6d42ca
|
||||
|
||||
CVE-2017-2629
|
||||
Bug: https://curl.haxx.se/docs/adv_20170222.html
|
||||
|
||||
Reported-by: Marcus Hoffmann
|
||||
---
|
||||
lib/url.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -4141,8 +4141,11 @@ static struct connectdata *allocate_conn
|
||||
conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
|
||||
conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
|
||||
|
||||
+ conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
|
||||
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
|
||||
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
|
||||
+ conn->proxy_ssl_config.verifystatus =
|
||||
+ data->set.proxy_ssl.primary.verifystatus;
|
||||
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
|
||||
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
|
||||
|
Loading…
Reference in New Issue