On Tue, Feb 25, 2014 at 10:49:00PM +0100, Daniel Stenberg wrote:
> On Mon, 24 Feb 2014, Dan Fandrich wrote:
> >It's probably worthwhile updating the security advisory at
> >http://curl.haxx.se/docs/adv_20140129.html as it advocates applying
> >just commit 8ae35102 as a fix to the original security issue. By my
> >reckoning, the fix should be 8ae35102 followed by 378af08c followed
> >by d7650998. The 7.27.0 patch at
> >http://curl.haxx.se/CVE-2014-0015-7-27.patch suffers from the same
> >problem.
>
> I agree completely, we really should. I'll try to create an amended
> version of the patches that take the subsequent fixes into account as
> well. When I get home again with some cycles to spare... Unless
> someone does it before me of course!

I've created a new patch that smooshes those three commits into one and
applies to 7.34.0. I've also attempted to back-port these to 7.28.1 and
came up with the second patch attached. A lot changed in this code between
those two versions so I'm not as confident in it, but the tests at least
pass.

>>> Dan

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html