new upstream release - 7.50.2
This commit is contained in:
Kamil Dudka
parent
165cb33f0a
commit
1db8ad8d42
|
|
@ -1,45 +0,0 @@
|
|||
From ec122e23098aad8b6e3d97070cca5858b72558e2 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Mon, 22 Aug 2016 10:24:35 +0200
|
||||
Subject: [PATCH] nss: refuse previously loaded certificate from file
|
||||
|
||||
... when we are not asked to use a certificate from file
|
||||
|
||||
Upstream-commit: 7700fcba64bf5806de28f6c1c7da3b4f0b38567d
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/nss.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||
index ad33f25..e467360 100644
|
||||
--- a/lib/vtls/nss.c
|
||||
+++ b/lib/vtls/nss.c
|
||||
@@ -1004,10 +1004,10 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
||||
struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
|
||||
struct Curl_easy *data = connssl->data;
|
||||
const char *nickname = connssl->client_nickname;
|
||||
+ static const char pem_slotname[] = "PEM Token #1";
|
||||
|
||||
if(connssl->obj_clicert) {
|
||||
/* use the cert/key provided by PEM reader */
|
||||
- static const char pem_slotname[] = "PEM Token #1";
|
||||
SECItem cert_der = { 0, NULL, 0 };
|
||||
void *proto_win = SSL_RevealPinArg(sock);
|
||||
struct CERTCertificateStr *cert;
|
||||
@@ -1069,6 +1069,12 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
||||
if(NULL == nickname)
|
||||
nickname = "[unknown]";
|
||||
|
||||
+ if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
|
||||
+ failf(data, "NSS: refusing previously loaded certificate from file: %s",
|
||||
+ nickname);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
if(NULL == *pRetKey) {
|
||||
failf(data, "NSS: private key not found for certificate: %s", nickname);
|
||||
return SECFailure;
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
From 5812a71c283936b85a77bd2745d4c6bb673cb55f Mon Sep 17 00:00:00 2001
|
||||
From: Peter Wang <novalazy@gmail.com>
|
||||
Date: Fri, 26 Aug 2016 16:28:39 +1000
|
||||
Subject: [PATCH] nss: work around race condition in PK11_FindSlotByName()
|
||||
|
||||
Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
|
||||
a multi-threaded environment. The underlying cause is a race condition
|
||||
in nssSlot_IsTokenPresent().
|
||||
|
||||
Bug: https://bugzilla.mozilla.org/1297397
|
||||
|
||||
Closes #985
|
||||
|
||||
Upstream-commit: 3a5d5de9ef52ebe8ca2bda2165edc1b34c242e54
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/nss.c | 22 +++++++++++++++++++---
|
||||
1 file changed, 19 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||
index e467360..1465c03 100644
|
||||
--- a/lib/vtls/nss.c
|
||||
+++ b/lib/vtls/nss.c
|
||||
@@ -81,6 +81,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
|
||||
|
||||
PRLock * nss_initlock = NULL;
|
||||
PRLock * nss_crllock = NULL;
|
||||
+PRLock *nss_findslot_lock = NULL;
|
||||
struct curl_llist *nss_crl_list = NULL;
|
||||
NSSInitContext * nss_context = NULL;
|
||||
|
||||
@@ -340,6 +341,19 @@ static char* dup_nickname(struct Curl_easy *data, enum dupstring cert_kind)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+/* Lock/unlock wrapper for PK11_FindSlotByName() to work around race condition
|
||||
+ * in nssSlot_IsTokenPresent() causing spurious SEC_ERROR_NO_TOKEN. For more
|
||||
+ * details, go to <https://bugzilla.mozilla.org/1297397>.
|
||||
+ */
|
||||
+static PK11SlotInfo* nss_find_slot_by_name(const char *slot_name)
|
||||
+{
|
||||
+ PK11SlotInfo *slot;
|
||||
+ PR_Lock(nss_initlock);
|
||||
+ slot = PK11_FindSlotByName(slot_name);
|
||||
+ PR_Unlock(nss_initlock);
|
||||
+ return slot;
|
||||
+}
|
||||
+
|
||||
/* Call PK11_CreateGenericObject() with the given obj_class and filename. If
|
||||
* the call succeeds, append the object handle to the list of objects so that
|
||||
* the object can be destroyed in Curl_nss_close(). */
|
||||
@@ -362,7 +376,7 @@ static CURLcode nss_create_object(struct ssl_connect_data *ssl,
|
||||
if(!slot_name)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
- slot = PK11_FindSlotByName(slot_name);
|
||||
+ slot = nss_find_slot_by_name(slot_name);
|
||||
free(slot_name);
|
||||
if(!slot)
|
||||
return result;
|
||||
@@ -563,7 +577,7 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
|
||||
return result;
|
||||
}
|
||||
|
||||
- slot = PK11_FindSlotByName("PEM Token #1");
|
||||
+ slot = nss_find_slot_by_name("PEM Token #1");
|
||||
if(!slot)
|
||||
return CURLE_SSL_CERTPROBLEM;
|
||||
|
||||
@@ -1013,7 +1027,7 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
||||
struct CERTCertificateStr *cert;
|
||||
struct SECKEYPrivateKeyStr *key;
|
||||
|
||||
- PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname);
|
||||
+ PK11SlotInfo *slot = nss_find_slot_by_name(pem_slotname);
|
||||
if(NULL == slot) {
|
||||
failf(data, "NSS: PK11 slot not found: %s", pem_slotname);
|
||||
return SECFailure;
|
||||
@@ -1249,6 +1263,7 @@ int Curl_nss_init(void)
|
||||
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
|
||||
nss_initlock = PR_NewLock();
|
||||
nss_crllock = PR_NewLock();
|
||||
+ nss_findslot_lock = PR_NewLock();
|
||||
}
|
||||
|
||||
/* We will actually initialize NSS later */
|
||||
@@ -1303,6 +1318,7 @@ void Curl_nss_cleanup(void)
|
||||
|
||||
PR_DestroyLock(nss_initlock);
|
||||
PR_DestroyLock(nss_crllock);
|
||||
+ PR_DestroyLock(nss_findslot_lock);
|
||||
nss_initlock = NULL;
|
||||
|
||||
initialized = 0;
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
|
@ -12,7 +12,7 @@ diff --git a/configure b/configure
|
|||
index 8f079a3..53b4774 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -16617,18 +16617,11 @@ $as_echo "yes" >&6; }
|
||||
@@ -16620,18 +16620,11 @@ $as_echo "yes" >&6; }
|
||||
gccvhi=`echo $gccver | cut -d . -f1`
|
||||
gccvlo=`echo $gccver | cut -d . -f2`
|
||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@ diff --git a/tests/data/test165 b/tests/data/test165
|
|||
index ddfe1e9..b2cbc4f 100644
|
||||
--- a/tests/data/test165
|
||||
+++ b/tests/data/test165
|
||||
@@ -53,5 +53,8 @@ Host: www.xn--4cab6c.se
|
||||
Accept: */*
|
||||
@@ -54,5 +54,8 @@ Accept: */*
|
||||
Proxy-Connection: Keep-Alive
|
||||
|
||||
</protocol>
|
||||
+<valgrind>
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQEcBAABCgAGBQJXoZGzAAoJEFzJCP23HhLCmj4IAIThxlJHbnqX+vPMHdAj4o/6
|
||||
Rr946YLOyQl41eJCwjsCYLbFGj0c2uy0ipKuSTB1aodyOwwuybHGJbsJxE9TKJTd
|
||||
eWgZ1sG9clE5S5YBHYqJK32PmYLEo7pSoNgamzoXOFKdxdK4OSNnPJBrJy2wDQRY
|
||||
+FfRR+xOvUDvj3K84eEEeKKbGgXqKSgQ7594s7BFSGxDQEzUIkmpEiMQv9S4ZCOL
|
||||
03FR8f0PXs4N8/tKSRBmhPc7BwCfTgK1XVpd+puYOTMi7niW3rentnqCONOSQbqo
|
||||
xvN/XDvvEVN+P17DWAkYPwHkjFCC9L+3uR1OCzFgFgGcoN1Yv9nK/bqRGGGRGr8=
|
||||
=uBU6
|
||||
-----END PGP SIGNATURE-----
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEcBAABCgAGBQJXz6qdAAoJEFzJCP23HhLC6twH/3QeGbEA0pOOaA77CBI83SgY
|
||||
76BieyDb2WPz1krUv09zMijIhKyy9+F+aCygBotzcUMDsrT0cLf/6xZKI3chAcGo
|
||||
H6S/ewRJvcx0IxAuaVlj+r3K5ZB7PY4GoDqGIngRgHSDyMkHEioOnUeG57FuTNJ3
|
||||
1gmeFnfkwtDGUcctGNndG7XbfUcFCyN60q6BAFUn5eXaHEm19xNiveeo9+mt2jse
|
||||
phsvmKrzTqCMFNZgeU0OoFQnVPL41J9nBcHlGDzpv5yAW8gM46dS9pV8t2lSUW02
|
||||
jGtGpLQLLDOgmJrpkQEDUp/xWKFifPmNog8NsUQ4lxe8fGf1DkHrmIRVPKsge/k=
|
||||
=L2bZ
|
||||
-----END PGP SIGNATURE-----
|
||||
20
curl.spec
20
curl.spec
|
|
@ -1,18 +1,11 @@
|
|||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.50.1
|
||||
Release: 2%{?dist}
|
||||
Version: 7.50.2
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Group: Applications/Internet
|
||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
||||
|
||||
# fix incorrect use of a previously loaded certificate from file
|
||||
# (related to CVE-2016-5420)
|
||||
Patch1: 0001-curl-7.51.0-cert-reuse.patch
|
||||
|
||||
# work around race condition in PK11_FindSlotByName()
|
||||
Patch2: 0002-curl-7.51.0-find-slot-race.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
|
|
@ -135,8 +128,6 @@ documentation of the library, too.
|
|||
%setup -q
|
||||
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
|
|
@ -230,8 +221,8 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_libdir}/libcurl.so.*
|
||||
|
||||
%files -n libcurl-devel
|
||||
%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS
|
||||
%doc docs/CONTRIBUTE docs/libcurl/ABI
|
||||
%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
|
||||
%doc docs/CONTRIBUTE.md docs/libcurl/ABI
|
||||
%{_bindir}/curl-config*
|
||||
%{_includedir}/curl
|
||||
%{_libdir}/*.so
|
||||
|
|
@ -241,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_datadir}/aclocal/libcurl.m4
|
||||
|
||||
%changelog
|
||||
* Wed Sep 07 2016 Kamil Dudka <kdudka@redhat.com> 7.50.2-1
|
||||
- new upstream release
|
||||
|
||||
* Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.50.1-2
|
||||
- work around race condition in PK11_FindSlotByName()
|
||||
- fix incorrect use of a previously loaded certificate from file
|
||||
|
|
|
|||
Loading…
Reference in New Issue