← Back to branch summary

~ubuntu-branches/ubuntu/dapper/curl/dapper-updates

« back to all changes in this revision

Viewing changes to debian/gnutls-send.patch

  • Committer: Bazaar Package Importer
  • Author(s): Marc Deslauriers
  • Date: 2009-02-26 15:52:51 UTC
  • mfrom: (8.1.1 dapper-proposed)
  • Revision ID: james.westby@ubuntu.com-20090226155251-qau3ln69xpdjcpq3
Tags: 7.15.1-1ubuntu3.1
* SECURITY UPDATE: Local file exposure via redirect
  - docs/libcurl/curl_easy_setopt.3, include/curl/curl.h, lib/{easy,url}.c
    and lib/urldata.h: add logic to limit what protocols curl will
    automatically follow via a redirect. By default, it now follows all
    protocols except FILE.
  - http://curl.haxx.se/CVE-2009-0037/curl-7.15.1-CVE-2009-0037.patch
  - CVE-2009-0037

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/gnutls-send.patch
 
1
Mark Eichin submitted bug report #1480821
 
2
(http://curl.haxx.se/bug/view.cgi?id=1480821) He found and identified a
 
3
problem with how libcurl dealt with GnuTLS and a case where gnutls returned
 
4
GNUTLS_E_AGAIN indicating it would block. It would then return an unexpected
 
5
return code, making Curl_ssl_send() confuse the upper layer - causing
 
6
random 28 bytes trash data to get inserted in the transfered stream.
 
7
 
 
8
The proper fix was to make the Curl_gtls_send() function return the proper
 
9
return codes that the callers would expect. The Curl_ossl_send() function
 
10
already did this.
 
11
 
 
12
--- curl/lib/gtls.c.orig        2007-09-11 12:04:58.000000000 -0300
 
13
+++ curl/lib/gtls.c     2007-09-11 12:05:51.000000000 -0300
 
14
@@ -495,6 +495,12 @@
 
15
   int rc;
 
16
   rc = gnutls_record_send(conn->ssl[sockindex].session, mem, len);
 
17
 
 
18
+  if(rc < 0) {
 
19
+    if(rc == GNUTLS_E_AGAIN)
 
20
+      return 0; /* EWOULDBLOCK equivalent */
 
21
+    rc = -1; /* generic error code for send failure */
 
22
+  }
 
23
+
 
24
   return rc;
 
25
 }
 
26