Bug 132358 - ftp/curl: update to 7.19.4 thus fixing CVE-2009-0037
Summary: ftp/curl: update to 7.19.4 thus fixing CVE-2009-0037
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Peter Pentchev
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-06 11:20 UTC by Eygene Ryabinkin
Modified: 2009-03-07 04:00 UTC (History)
0 users

See Also:


Attachments
update-to-7.19.4.diff (9.88 KB, patch)
2009-03-06 11:20 UTC, Eygene Ryabinkin
no flags Details | Diff
7.19.4-nitpicking-PORTEXAMPLES.diff (5.54 KB, patch)
2009-03-06 11:20 UTC, Eygene Ryabinkin
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene Ryabinkin 2009-03-06 11:20:05 UTC
cURL 7.19.4 is out [1] and this release fixes security bug with redirection
to other protocols supported by cURL [2] [3].

Fix: The following patch updates the port to 7.19.4.  I had tested both CLI
version of the native client by downloading some files and testing their
integrity and git as the cURL client by cloning some repositories by
HTTP.  Everything works without problems.

One will need to issue 'patch -p3 -E' to get rid of empty files:
patches for 'docs' directory contents were integrated upstream.

Ideally, this patch should supersede the patch in ports/131324.

The following two patches are to compensate portlint whinings about
not very correct usage of some variables.

From bfaacf662b77e649ae40b7dd0d45f49a18ebc63c Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Fri, 6 Mar 2009 13:31:00 +0300
Subject: [PATCH 3/3] ftp/curl: nitpicking, don't add CFLAGS to the CONFIGURE_ENV

This is redundant: target 'do-configure' from bsd.port.mk sets CFLAGS
to ${CFLAGS} by itself, so manual addition of CFLAGS should not produce
any effect.

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 ftp/curl/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ftp/curl/Makefile b/ftp/curl/Makefile
index 3343c31..fc695ce 100644
--- a/ftp/curl/Makefile
+++ b/ftp/curl/Makefile
@@ -179,7 +179,7 @@ CONFIGURE_ARGS+=	--disable-proxy
 .endif
 
 .if defined(ADDFLAGS)
-CONFIGURE_ENV+=	CFLAGS="${CFLAGS}" LDFLAGS="${LDFLAGS}"
+CONFIGURE_ENV+=	LDFLAGS="${LDFLAGS}"
 .endif
 
 DOCS=		BINDINGS BUGS CONTRIBUTE DISTRO-DILEMMA FAQ FEATURES \
-- 
1.6.1
--- 7.19.4-nitpicking-CFLAGS ends here ---
How-To-Repeat: 
See the following links.

[1] http://curl.haxx.se/changes.html
[2] http://curl.haxx.se/docs/adv_20090303.html
[3] http://www.vuxml.org/freebsd/5d433534-f41c-402e-ade5-e0a2259a7cb6.html
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2009-03-06 11:20:23 UTC
Responsible Changed
From-To: freebsd-ports-bugs->roam

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2009-03-07 03:57:50 UTC
roam        2009-03-07 03:57:38 UTC

  FreeBSD ports repository

  Modified files:
    ftp/curl             Makefile distinfo pkg-plist 
    ftp/curl/files       patch-Makefile.in patch-configure 
                         patch-lib::ftp.c patch-lib::url.c 
                         patch-src::main.c 
                         patch-tests::libtest::lib505.c 
                         patch-tests::libtest::lib541.c 
                         patch-tests::runtests.pl 
                         patch-tests::server::getpart.c 
  Removed files:
    ftp/curl/files       patch-docs::curl.1 patch-docs::curl.html 
  Log:
  Update to curl-7.19.4, which fixes a redirection vulnerability.
  The changes in the patch files are almost the same as in Eugene's PR,
  although I arrived at them mostly independently :)
  Reformat all patch files now that I use quilt to manage them.
  Fix two complaints from portlint: needless use of CFLAGS and differentiation
  between NOPORTDOCS and NOPORTEXAMPLES.  Thanks, Eugene!
  
  PR:             132358
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  
  Revision  Changes    Path
  1.97      +6 -2      ports/ftp/curl/Makefile
  1.52      +3 -3      ports/ftp/curl/distinfo
  1.3       +4 -3      ports/ftp/curl/files/patch-Makefile.in
  1.11      +11 -11    ports/ftp/curl/files/patch-configure
  1.3       +0 -12     ports/ftp/curl/files/patch-docs::curl.1 (dead)
  1.3       +0 -12     ports/ftp/curl/files/patch-docs::curl.html (dead)
  1.7       +5 -39     ports/ftp/curl/files/patch-lib::ftp.c
  1.5       +4 -3      ports/ftp/curl/files/patch-lib::url.c
  1.6       +5 -39     ports/ftp/curl/files/patch-src::main.c
  1.3       +4 -3      ports/ftp/curl/files/patch-tests::libtest::lib505.c
  1.3       +4 -3      ports/ftp/curl/files/patch-tests::libtest::lib541.c
  1.5       +4 -3      ports/ftp/curl/files/patch-tests::runtests.pl
  1.5       +4 -3      ports/ftp/curl/files/patch-tests::server::getpart.c
  1.26      +47 -46    ports/ftp/curl/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Peter Pentchev freebsd_committer freebsd_triage 2009-03-07 03:59:17 UTC
State Changed
From-To: open->closed

I've just committed something very, very similar to your changes, 
and included your two nitpicking fixes.  Thanks!