cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Sun, 30 Mar 2014 23:10:39 +0200

On Sunday, March 30, 2014 22:37:08 Alessandro Ghedini wrote:
> On dom, mar 30, 2014 at 09:15:28 +0200, Kamil Dudka wrote:
> > On Sunday, March 30, 2014 15:34:49 Alessandro Ghedini wrote:
> > > On mer, mar 26, 2014 at 08:04:30 +0100, Daniel Stenberg wrote:
> > > > 3. THE SOLUTION
> > > >
> > > > libcurl 7.36.0 makes sure that connections are re-used more
> > > > strictly.
> > > >
> > > > A patch for this problem is available at:
> > > > http://curl.haxx.se/libcurl-bad-reuse.patch
> > >
> > > I've been trying to backport that patch to curl 7.26.0 (used in Debian
> > > stable), but I've noticed that the connection reuse has changed
> > > drastically
> > > since then, and that patch doesn't seem to be enough to fix the issue
> > > (in
> > > fact, it actually breaks the test suite, since test 519 freezes for some
> > > reason). I haven't even tried to backport it to Debian oldstable
> > > (7.21.0).
> > >
> > > Is there someone that successfully backported it to something
> > > pre-7.30.0, or should I just give up?
> >
> > I am attaching a patch for curl 7.29.0.
>
> That's more or less the same patch I've used. I've even tried to backport
> commit 5ede86a (which introduced wantNTLMhttp and credentialsMatch) to
> 7.26.0, but test 519 still doesn't terminate until I kill it manually. I
> guess pre-7.30.0 is still too new. I haven't tried backporting d021f2e
> though, but that's too many changes anyway.

We run the test-suite during build and test 519 passes just fine with the
patch applied on curl 7.29.0 (Fedora 19) and 7.32.0 (Fedora 20). I did not
try it with other curl releases.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-30