Commit 6b8aa112 authored by Gustavo Zacarias's avatar Gustavo Zacarias Committed by Peter Korsgaard
Browse files

libcurl: add security patch for CVE-2013-4545 



Signed-off-by: default avatarGustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
parent dcefce4c

package/libcurl/libcurl-0001-CVE-2013-4545.patch

0 → 100644
+32 −0
Original line number Diff line number Diff line 
From 3c3622b66221d89509cffaa693fc7dcd5c5b96cf Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Wed, 2 Oct 2013 15:31:10 +0200

Subject: [PATCH] OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without

 VERIFYPEER



Setting only CURLOPT_SSL_VERIFYHOST without CURLOPT_SSL_VERIFYPEER set

should still verify that the host name fields in the server certificate

is fine or return failure.



Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html

Reported-by: Ishan SinghLevett

---

 lib/ssluse.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/lib/ssluse.c b/lib/ssluse.c

index 4f3c1e1..9974ac8 100644

--- a/lib/ssluse.c

+++ b/lib/ssluse.c

@@ -2351,7 +2351,7 @@ ossl_connect_step3(struct connectdata *conn,

    * operations.

    */

 

-  if(!data->set.ssl.verifypeer)

+  if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)

     (void)servercert(conn, connssl, FALSE);

   else

     retcode = servercert(conn, connssl, TRUE);

-- 

1.8.3.2