Fixes:
CVE-2014-3707 - libcurl's function curl_easy_duphandle() has a bug that
can lead to libcurl eventually sending off sensitive data that was not
intended for sending.
Removed patch that was upstream and now in the release.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
For details see
82d923895a (commitcomment-7952726)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2014-3613 cookie leak with IP address as domain
CVE-2014-3620 cookie leak for TLDs
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In the Config.in file of package foo, it often happens that there are other
symbols besides BR2_PACKAGE_FOO. Typically, these symbols only make sense
when foo itself is enabled. There are two ways to express this: with
depends on BR2_PACKAGE_FOO
in each extra symbol, or with
if BR2_PACKAGE_FOO
...
endif
around the entire set of extra symbols.
The if/endif approach avoids the repetition of 'depends on' statements on
multiple symbols, so this is clearly preferred. But even when there is only
one extra symbol, if/endif is a more logical choice:
- it is future-proof for when extra symbols are added
- it allows to have just one strategy instead of two (less confusion)
This patch modifies the Config.in files accordingly.
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
cURL's homepage is curl.haxx.se and not curl.haxx.nu
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adding configuration options that if libssh2 is selected, compile libcurl
with --with-ssh config flag.
Signed-off-by: Ryan Barnett <rjbarnet@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Add support for gnutls, nss and polarssl backends.
Add support for libidn and zlib.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Updating revision of libcurl to version 7.32.0
Signed-off-by: Ryan Barnett <rjbarnet@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Since openssl's path is '/etc/ssl/' (specified in our openssl package),
we should also make sure that's what curl is using.
Previously, it's hasn't been specified, which means it changes depending
on the host system where it's compiled.
Signed-off-by: Shawn J. Goff <shawn7400@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
In 9229b82d63 ('libcurl: needs MMU'),
the libcurl package was disabled on non-MMU systems, due to the usage
of the fork() function in the library.
However, a deeper inspection reveals that fork() is only used in the
implementation of NTLM, an obscure, undocumented, Microsoft specific
authentication method that apparently isn't common anymore. See
http://curl.haxx.se/docs/manpage.html#--ntlm.
Therefore, this commit re-enables libcurl on non-MMU systems by
explicitly disabling the NTLM support. If someone ever needs NTLM
support in Buildroot's libcurl package, it will always be time to add
a libcurl sub-option to enable it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Use the <pkg>_CONFIG_SCRIPTS mechanism in all packages for which it
does all what the package was doing. A few packages, like libxslt, are
for now left out, since they need some additional fixup (for example a
fixup of includedir).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
When openSSL is selected, cURL is configured to use it.
But in this case, the libcurl.pc file /forgets/ to require link
against -ldl.
This can happen, for example, when BR2_PREFER_STATIC_LIB is not set,
but an executable wants to be linked statically (for various reasons
which are irrelevant here).
Fix that by appending a 'Requires: openssl' line to libcurl.pc.in,
but only if openSSL is enabled.
As suggested by Arnout, do it in a post-patch hook, rather as a
post-install hook.
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
While most packages that rely on libcurl use pkg-config, a few
packages (such as libxmlrpc) still use curl-config. So we need to fix
up the prefix locations in the curl-config script installed in
STAGING_DIR.
[Peter: only fixup if prefix=/usr]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Thanks to the pkgparentdir and pkgname functions, we can rewrite the
AUTOTARGETS macro in a way that avoids the need for each package to
repeat its name and the directory in which it is present.
[Peter: pkgdir->pkgparentdir]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
The ./configure script of libcurl includes <arpa_inet.h> instead of
<arpa/inet.h> when testing for inet_pton(). The test fails, but it
doesn't prevent libcurl to build as it can work without inet_pton().
However, it fills the configure cache with the fact that inet_pton()
does not exist. And later, tcpreplay reads this from the configure
cache and fails to build, because tcpreplay really need inet_pton().
Unfortunately, just fixing the .m4 file doesn't work because the
autoreconfiguration of the package fails. Since the fix for this
problem is already upstream, the easiest solution is therefore to bump
libcurl.
The libcurl-7.19.2-fix-ssl-no-verbose.patch patch is no longer needed.
Since we're patching a m4 file, we must autoreconfigure the package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Makefile.autotools.in automatically adds these to the configure invocation,
so there's no need to explicitly list them.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Gustavo Zacarias
Thomas De Schampheleire
Bernd Kuhls
Maxime Hadjinlian
Ryan Barnett
Alexandre Belloni
Shawn J. Goff
Thomas Petazzoni
Maxime Ripard
Yann E. MORIN
Danomi Manchego
Arnout Vandecappelle (Essensium/Mind)
Peter Korsgaard
Thomas Lundquist