cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Sun, 30 Mar 2014 22:37:08 +0200

On dom, mar 30, 2014 at 09:15:28 +0200, Kamil Dudka wrote:
> On Sunday, March 30, 2014 15:34:49 Alessandro Ghedini wrote:
> > On mer, mar 26, 2014 at 08:04:30 +0100, Daniel Stenberg wrote:
> > > 3. THE SOLUTION
> > >
> > > libcurl 7.36.0 makes sure that connections are re-used more strictly.
> > >
> > > A patch for this problem is available at:
> > > http://curl.haxx.se/libcurl-bad-reuse.patch
> >
> > I've been trying to backport that patch to curl 7.26.0 (used in Debian
> > stable), but I've noticed that the connection reuse has changed drastically
> > since then, and that patch doesn't seem to be enough to fix the issue (in
> > fact, it actually breaks the test suite, since test 519 freezes for some
> > reason). I haven't even tried to backport it to Debian oldstable (7.21.0).
> >
> > Is there someone that successfully backported it to something pre-7.30.0, or
> > should I just give up?
>
> I am attaching a patch for curl 7.29.0.

That's more or less the same patch I've used. I've even tried to backport commit
5ede86a (which introduced wantNTLMhttp and credentialsMatch) to 7.26.0, but test
519 still doesn't terminate until I kill it manually. I guess pre-7.30.0 is
still too new. I haven't tried backporting d021f2e though, but that's too many
changes anyway.

Cheers

-- 
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2014-03-30