From patchwork Wed Apr 19 09:07:42 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
X-Patchwork-Id: 752137
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3w7GP93P44z9s2x
	for <incoming@patchwork.ozlabs.org>;
	Wed, 19 Apr 2017 19:07:57 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id A26BB88DDC;
	Wed, 19 Apr 2017 09:07:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id BTnlRK-+t7zd; Wed, 19 Apr 2017 09:07:52 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id AF7968859C;
	Wed, 19 Apr 2017 09:07:52 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	by ash.osuosl.org (Postfix) with ESMTP id 6E33E1BFB36
	for <buildroot@lists.busybox.net>;
	Wed, 19 Apr 2017 09:07:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id 53BB830B5B
	for <buildroot@lists.busybox.net>;
	Wed, 19 Apr 2017 09:07:51 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vsdL-ZAPByK4 for <buildroot@lists.busybox.net>;
	Wed, 19 Apr 2017 09:07:50 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mailapp01.imgtec.com (mailapp01.imgtec.com [195.59.15.196])
	by silver.osuosl.org (Postfix) with ESMTP id CCCED30B4D
	for <buildroot@buildroot.org>; Wed, 19 Apr 2017 09:07:49 +0000 (UTC)
Received: from HHMAIL01.hh.imgtec.org (unknown [10.100.10.19])
	by Forcepoint Email with ESMTPS id F10342D3D1139
	for <buildroot@buildroot.org>; Wed, 19 Apr 2017 10:07:44 +0100 (IST)
Received: from vriera-linux.le.imgtec.org (192.168.154.96) by
	HHMAIL01.hh.imgtec.org (10.100.10.21) with Microsoft SMTP Server
	(TLS) id 14.3.294.0; Wed, 19 Apr 2017 10:07:47 +0100
From: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
To: <buildroot@buildroot.org>
Date: Wed, 19 Apr 2017 10:07:42 +0100
Message-ID: <20170419090742.33430-1-Vincent.Riera@imgtec.com>
X-Mailer: git-send-email 2.10.2
MIME-Version: 1.0
X-Originating-IP: [192.168.154.96]
Subject: [Buildroot] [PATCH] libcurl: bump version to 7.54.0 (security)
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Security fixes:
 - CVE-2017-7468: switch off SSL session id when client cert is used

Full changelog: https://curl.haxx.se/changes.html

Removing 0001-CVE-2017-7407.patch. It's included in this release:
  https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
---
 package/libcurl/0001-CVE-2017-7407.patch | 61 --------------------------------
 package/libcurl/libcurl.hash             |  2 +-
 package/libcurl/libcurl.mk               |  2 +-
 3 files changed, 2 insertions(+), 63 deletions(-)
 delete mode 100644 package/libcurl/0001-CVE-2017-7407.patch

diff --git a/package/libcurl/0001-CVE-2017-7407.patch b/package/libcurl/0001-CVE-2017-7407.patch
deleted file mode 100644
index 3a9fa48..0000000
--- a/package/libcurl/0001-CVE-2017-7407.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001
-From: Dan Fandrich <dan@coneharvesters.com>
-Date: Sat, 11 Mar 2017 10:59:34 +0100
-Subject: [PATCH] CVE-2017-7407: fixed
-
-Bug: https://curl.haxx.se/docs/adv_20170403.html
-
-Reported-by: Brian Carpenter
-[baruch: remove tests]
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
----
-Patch status: based on upstream suggested patch[1] that combines commits
-1890d59905414ab and 8e65877870c1.
-
-[1] https://curl.haxx.se/CVE-2017-7407.patch
-
-diff --git a/src/tool_writeout.c b/src/tool_writeout.c
-index 2fb77742a..5d92bd278 100644
---- a/src/tool_writeout.c
-+++ b/src/tool_writeout.c
-@@ -3,11 +3,11 @@
-  *  Project                     ___| | | |  _ \| |
-  *                             / __| | | | |_) | |
-  *                            | (__| |_| |  _ <| |___
-  *                             \___|\___/|_| \_\_____|
-  *
-- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
-  *
-  * This software is licensed as described in the file COPYING, which
-  * you should have received as part of this distribution. The terms
-  * are also available at https://curl.haxx.se/docs/copyright.html.
-  *
-@@ -111,11 +111,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
-   char *stringp = NULL;
-   long longinfo;
-   double doubleinfo;
- 
-   while(ptr && *ptr) {
--    if('%' == *ptr) {
-+    if('%' == *ptr && ptr[1]) {
-       if('%' == ptr[1]) {
-         /* an escaped %-letter */
-         fputc('%', stream);
-         ptr += 2;
-       }
-@@ -339,11 +339,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
-           fputc(ptr[1], stream);
-           ptr += 2;
-         }
-       }
-     }
--    else if('\\' == *ptr) {
-+    else if('\\' == *ptr && ptr[1]) {
-       switch(ptr[1]) {
-       case 'r':
-         fputc('\r', stream);
-         break;
-       case 'n':
--- 2.11.0
-
diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 9c521e9..f8885e0 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256 1c7207c06d75e9136a944a2e0528337ce76f15b9ec9ae4bb30d703b59bf530e8  curl-7.53.1.tar.bz2
+sha256 f50ebaf43c507fa7cc32be4b8108fa8bbd0f5022e90794388f3c7694a302ff06  curl-7.54.0.tar.bz2
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 0249f5c..6f4803e 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.53.1
+LIBCURL_VERSION = 7.54.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
 LIBCURL_SITE = https://curl.haxx.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \