CC: curl: fix some security vulnerabilities

This fixes the following security vulnerabilities in curl:
* CVE-2015-3143
* CVE-2015-3144
* CVE-2015-3145
* CVE-2015-3148
* CVE-2015-3153
* CVE-2015-3236
* CVE-2015-3237

This was fixed in trunk with update to version 7.43.0 in r46169.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>


git-svn-id: svn://svn.openwrt.org/openwrt/branches/chaos_calmer@46312 3c298f89-4303-0410-b956-a3cf2f4a3e73

1 files changed, 28 insertions, 0 deletions

diff --git a/package/network/utils/curl/patches/010-CVE-2015-3143.patch b/package/network/utils/curl/patches/010-CVE-2015-3143.patch
new file mode 100644
index 0000000000..697c9c9b6d
--- /dev/null
+++ b/package/network/utils/curl/patches/010-CVE-2015-3143.patch
@@ -0,0 +1,28 @@
+From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 13:26:46 +0200
+Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
+ match
+
+CVE-2015-3143
+
+Bug: http://curl.haxx.se/docs/adv_20150422A.html
+Reported-by: Paras Sethia
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3184,7 +3184,11 @@ ConnectionExists(struct SessionHandle *d
+       }
+ 
+       if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
++#if defined(USE_NTLM)
++         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
++#else
+          wantNTLMhttp) {
++#endif
+         /* This protocol requires credentials per connection or is HTTP+NTLM,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||