openwrt/package/network/utils/curl/patches/100-CVE-2017-2629.patch
Hauke Mehrtens 111cf1b9f3 curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignored
This fixes the following security problem:
https://curl.haxx.se/docs/adv_20170222.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 22:51:20 +01:00

34 lines
1.2 KiB
Diff

From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 22 Jan 2017 18:11:55 +0100
Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again
The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
and thus even if the status couldn't be verified, the connection would
be allowed and the user would not be told about the failed verification.
Regression since cb4e2be7c6d42ca
CVE-2017-2629
Bug: https://curl.haxx.se/docs/adv_20170222.html
Reported-by: Marcus Hoffmann
---
lib/url.c | 3 +++
1 file changed, 3 insertions(+)
--- a/lib/url.c
+++ b/lib/url.c
@@ -4141,8 +4141,11 @@ static struct connectdata *allocate_conn
conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
+ conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
+ conn->proxy_ssl_config.verifystatus =
+ data->set.proxy_ssl.primary.verifystatus;
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;