[pkgsrc/pkgsrc-2004Q4]: pkgsrc/www/curl Pullup ticket 311 - requested by Lubo...

[snj <snj%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/bc75c81b7d14
branches:  pkgsrc-2004Q4
changeset: 485937:bc75c81b7d14
user:      snj <snj%pkgsrc.org@localhost>
date:      Sat Feb 26 07:25:30 2005 +0000

description:
Pullup ticket 311 - requested by Lubomir Sedlacik
security fix for curl

Apply a manual patch that fixes a buffer overflow in the NTLM
authentication code.  See http://www.securityfocus.com/archive/1/391042
for more information.

diffstat:

 www/curl/Makefile         |   3 ++-
 www/curl/buildlink3.mk    |   4 ++--
 www/curl/distinfo         |   3 ++-
 www/curl/patches/patch-aa |  33 +++++++++++++++++++++++++++++++++
 4 files changed, 39 insertions(+), 4 deletions(-)

diffs (77 lines):

diff -r ebd9f7854070 -r bc75c81b7d14 www/curl/Makefile
--- a/www/curl/Makefile Fri Feb 25 22:20:36 2005 +0000
+++ b/www/curl/Makefile Sat Feb 26 07:25:30 2005 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.45 2004/11/09 09:18:37 adam Exp $
+# $NetBSD: Makefile,v 1.45.2.1 2005/02/26 07:25:30 snj Exp $
 
 DISTNAME=      curl-7.12.2
+PKGREVISION=   1
 CATEGORIES=    www
 MASTER_SITES=  http://curl.haxx.se/download/ \
                ftp://ftp.sunet.se/pub/www/utilities/curl/ \
diff -r ebd9f7854070 -r bc75c81b7d14 www/curl/buildlink3.mk
--- a/www/curl/buildlink3.mk    Fri Feb 25 22:20:36 2005 +0000
+++ b/www/curl/buildlink3.mk    Sat Feb 26 07:25:30 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.5 2004/10/03 00:18:25 tv Exp $
+# $NetBSD: buildlink3.mk,v 1.5.2.1 2005/02/26 07:25:30 snj Exp $
 
 BUILDLINK_DEPTH:=      ${BUILDLINK_DEPTH}+
 CURL_BUILDLINK3_MK:=   ${CURL_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@
 
 .if !empty(CURL_BUILDLINK3_MK:M+)
 BUILDLINK_DEPENDS.curl+=       curl>=7.9.1
-BUILDLINK_RECOMMENDED.curl?=   curl>=7.12.1nb1
+BUILDLINK_RECOMMENDED.curl?=   curl>=7.12.2nb1
 BUILDLINK_PKGSRCDIR.curl?=     ../../www/curl
 .endif # CURL_BUILDLINK3_MK
 
diff -r ebd9f7854070 -r bc75c81b7d14 www/curl/distinfo
--- a/www/curl/distinfo Fri Feb 25 22:20:36 2005 +0000
+++ b/www/curl/distinfo Sat Feb 26 07:25:30 2005 +0000
@@ -1,4 +1,5 @@
-$NetBSD: distinfo,v 1.28 2004/11/09 09:18:37 adam Exp $
+$NetBSD: distinfo,v 1.28.2.1 2005/02/26 07:25:30 snj Exp $
 
 SHA1 (curl-7.12.2.tar.bz2) = 0823103ada811175dfbfbea07ec57ff6d5a9745a
 Size (curl-7.12.2.tar.bz2) = 1246427 bytes
+SHA1 (patch-aa) = 0152fac7590f448aae5b9a335a19b988e5732c55
diff -r ebd9f7854070 -r bc75c81b7d14 www/curl/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/curl/patches/patch-aa Sat Feb 26 07:25:30 2005 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-aa,v 1.7.10.1 2005/02/26 07:25:30 snj Exp $
+--- lib/http_ntlm.c.orig       2004-07-29 15:09:58.000000000 +0200
++++ lib/http_ntlm.c    2005-02-25 02:02:10.000000000 +0100
+@@ -103,7 +103,6 @@
+     header++;
+ 
+   if(checkprefix("NTLM", header)) {
+-    unsigned char buffer[256];
+     header += strlen("NTLM");
+ 
+     while(*header && isspace((int)*header))
+@@ -123,8 +122,12 @@
+          (40)    Target Information  (optional) security buffer(*)
+          32 (48) start of data block
+       */
++      size_t size;
++      unsigned char *buffer = (unsigned char *)malloc(strlen(header));
++      if (buffer == NULL)
++        return CURLNTLM_BAD;
+ 
+-      size_t size = Curl_base64_decode(header, (char *)buffer);
++      size = Curl_base64_decode(header, (char *)buffer);
+ 
+       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
+ 
+@@ -134,6 +137,7 @@
+ 
+       /* at index decimal 20, there's a 32bit NTLM flag field */
+ 
++      free(buffer);
+     }
+     else {
+       if(ntlm->state >= NTLMSTATE_TYPE1)