212677 – ftp/curl: Update to 7.50.3 / fix vuln

Bug 212677 - ftp/curl: Update to 7.50.3 / fix vuln

Summary: ftp/curl: Update to 7.50.3 / fix vuln

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Mark Felder

URL:	https://curl.haxx.se/docs/adv_2016091...
Keywords:	needs-qa, patch, security

Depends on:
Blocks:	212455
	Show dependency tree / graph

Reported:	2016-09-14 07:50 UTC by Bernard Spil
Modified:	2016-09-21 19:55 UTC (History)
CC List:	8 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (sunpoet) feld: merge-quarterly+

Attachments
svn diff for ftp/curl (2.15 KB, patch) 2016-09-14 07:50 UTC, Bernard Spil	no flags	Details \| Diff
svn diff for ftp/curl (1.66 KB, patch) 2016-09-17 08:54 UTC, Bernard Spil	brnrd: maintainer-approval?	Details \| Diff
previous patch with fixed tabs/cr/lf (1.49 KB, patch) 2016-09-17 17:37 UTC, Marcin Gryszkalis	no flags	Details \| Diff
previous patch with fixed tabs/cr/lf (re-fix) (1.48 KB, patch) 2016-09-17 17:44 UTC, Marcin Gryszkalis	no flags	Details \| Diff
Updated patch for Makefile (1.05 KB, patch) 2016-09-21 18:46 UTC, lab	no flags	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernard Spil freebsd_committer

2016-09-14 07:50:19 UTC

Created attachment 174769 [details]
svn diff for ftp/curl

Current version of ftp/curl in ports has an integer overflow vulnerability. Patch updates to 7.50.3 which fixes the vuln.

> ftp/curl: Update 7.50.3 (Fixes 1 Security Vulnerability)
> 
>   - Update to 7.50.3
>   - Update installed docs
> 
> PR: 
> Security: b018121b-7a4b-11e6-bf52-b499baebfeaf
> Security: CVE-2016-7167
> MFH: 2016Q3

Comment 1 Bernard Spil freebsd_committer

2016-09-14 08:02:38 UTC

Build log https://brnrd.eu/poudriere/data/110libre-default/2016-09-14_09h36m43s/logs/curl-7.50.3.log

Comment 2 Kurt Jaeger freebsd_committer

2016-09-17 05:17:31 UTC

Patch does not apply cleanly due to r422012, r422020, r422028

Comment 3 Bernard Spil freebsd_committer

2016-09-17 08:54:11 UTC

Created attachment 174870 [details]
svn diff for ftp/curl

Update patch after r422012, r422020, r422028

Comment 4 Kurt Jaeger freebsd_committer

2016-09-17 09:14:49 UTC

After removing the CR characters, this happened:

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: Makefile
|===================================================================
|--- Makefile    (revision 422300)
|+++ Makefile    (working copy)
--------------------------
Patching file Makefile using Plan A...
Hunk #1 failed at 2.
Hunk #2 failed at 61.
2 out of 2 hunks failed--saving rejects to Makefile.rej
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: distinfo
|===================================================================
|--- distinfo    (revision 422300)
|+++ distinfo    (working copy)
--------------------------
Patching file distinfo using Plan A...
Hunk #1 succeeded at 1 with fuzz 1.
done

Comment 5 Marcin Gryszkalis 2016-09-17 17:37:57 UTC

Created attachment 174887 [details]
previous patch with fixed tabs/cr/lf

Just fixed formatting

Comment 6 Marcin Gryszkalis 2016-09-17 17:44:44 UTC

Created attachment 174888 [details]
previous patch with fixed tabs/cr/lf (re-fix)

fixed distinfo too

Comment 7 Kurt Jaeger freebsd_committer

2016-09-17 19:18:03 UTC

testbuilds are fine.

Comment 8 Erik Cederstrand 2016-09-20 10:29:11 UTC

Is anything holding back this patch?

Comment 9 Marcin Gryszkalis 2016-09-20 10:44:04 UTC

The maintainer seems to be a bit inactive lately.
Adding Mark who commited patch for previous curl vulnerability. Mark, would you push it?

Comment 10 lab 2016-09-21 18:46:18 UTC

Created attachment 175038 [details]
Updated patch for Makefile

The previous patch doesn't appear correct to me. It removes documentation files instead of adding an "md" extension that some files now have.  Add md file extention to the following DOCS entries:
        a) HISTORY
        b) CONTRIBUTE
        c) INTERNALS
        d) LICENSE-MIXING
        e) SECURITY
        f) SSL-PROBLEMS
        g) SSLCERTS

Comment 11 commit-hook freebsd_committer

2016-09-21 19:54:07 UTC

A commit references this bug:

Author: feld
Date: Wed Sep 21 19:53:33 UTC 2016
New revision: 422575
URL: https://svnweb.freebsd.org/changeset/ports/422575

Log:
  ftp/curl: Update to 7.50.3

  - Update installed docs

  PR:		212677
  MFH:		2016Q3
  Security:	CVE-2016-7167

Changes:
  head/ftp/curl/Makefile
  head/ftp/curl/distinfo

Comment 12 Mark Felder freebsd_committer

2016-09-21 19:55:01 UTC

Committed, thanks all!

Comment 13 commit-hook freebsd_committer

2016-09-21 19:55:11 UTC

A commit references this bug:

Author: feld
Date: Wed Sep 21 19:54:06 UTC 2016
New revision: 422576
URL: https://svnweb.freebsd.org/changeset/ports/422576

Log:
  MFH: r422575

  ftp/curl: Update to 7.50.3

  - Update installed docs

  PR:		212677
  Security:	CVE-2016-7167

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q3/
  branches/2016Q3/ftp/curl/Makefile
  branches/2016Q3/ftp/curl/distinfo