Resolves: CVE-2018-20483 - xattr: strip credentials from any URL that is stored

2019-01-21 10:13:55 +01:00 · 2019-01-21 10:13:55 +01:00 · b3c6d97e26
commit b3c6d97e26
parent 51f07044e3
2 changed files with 4784 additions and 1 deletions
--- a/0008-curl-7.61.1-CVE-2018-20483.patch
+++ b/0008-curl-7.61.1-CVE-2018-20483.patch
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

@ -28,6 +28,9 @@ Patch6:   0006-curl-7.61.1-CVE-2018-16839.patch
 # curl -J: do not append to the destination file (#1658574)
 Patch7:   0007-curl-7.63.0-JO-preserve-local-file.patch

+# xattr: strip credentials from any URL that is stored (CVE-2018-20483)
+Patch8:   0008-curl-7.61.1-CVE-2018-20483.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -194,6 +197,7 @@ git apply %{PATCH4}
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1

 # Fedora patches
 %patch101 -p1
@ -360,6 +364,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Mon Jan 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-7
+- xattr: strip credentials from any URL that is stored (CVE-2018-20483)
+
 * Wed Dec 19 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-6
 - curl -J: do not append to the destination file (#1658574)