diff -Nru curl-7.47.0/debian/changelog curl-7.47.0/debian/changelog --- curl-7.47.0/debian/changelog 2016-08-05 15:20:41.000000000 +0000 +++ curl-7.47.0/debian/changelog 2017-10-17 17:53:46.000000000 +0000 @@ -1,3 +1,96 @@ +curl (7.47.0-1ubuntu2.4) xenial-security; urgency=medium + + * SECURITY UPDATE: IMAP FETCH response out of bounds read + - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c. + - CVE-2017-1000257 + + -- Marc Deslauriers Tue, 17 Oct 2017 13:53:46 -0400 + +curl (7.47.0-1ubuntu2.3) xenial-security; urgency=medium + + * SECURITY UPDATE: printf floating point buffer overflow + - debian/patches/CVE-2016-9586.patch: fix floating point buffer + overflow issues in lib/mprintf.c, added test to tests/data/test557, + tests/libtest/lib557.c. + - CVE-2016-9586 + * SECURITY UPDATE: TFTP sends more than buffer size + - debian/patches/CVE-2017-1000100.patch: reject file name lengths that + don't fit in lib/tftp.c. + - CVE-2017-1000100 + * SECURITY UPDATE: URL globbing out of bounds read + - debian/patches/CVE-2017-1000101.patch: do not continue parsing after + a strtoul() overflow range in src/tool_urlglob.c, added test to + tests/data/Makefile.inc, tests/data/test1289. + - CVE-2017-1000101 + * SECURITY UPDATE: FTP PWD response parser out of bounds read + - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path + even on bad input in lib/ftp.c, added test to + tests/data/Makefile.inc, tests/data/test1152. + - CVE-2017-1000254 + * SECURITY UPDATE: --write-out out of buffer read + - debian/patches/CVE-2017-7407-1.patch: fix a buffer read overrun in + src/tool_writeout.c added test to tests/data/Makefile.inc, + tests/data/test1440, tests/data/test1441. + - debian/patches/CVE-2017-7407-2.patch: check for end of input in + src/tool_writeout.c added test to tests/data/Makefile.inc, + tests/data/test1442. + - CVE-2017-7407 + + -- Marc Deslauriers Wed, 04 Oct 2017 08:52:42 -0400 + +curl (7.47.0-1ubuntu2.2) xenial-security; urgency=medium + + * SECURITY UPDATE: Incorrect reuse of client certificates with NSS + - debian/patches/CVE-2016-7141.patch: refuse previously loaded + certificate from file in lib/vtls/nss.c. + - CVE-2016-7141 + * SECURITY UPDATE: curl escape and unescape integer overflows + - debian/patches/CVE-2016-7167.patch: deny negative string length + inputs in lib/escape.c. + - CVE-2016-7167 + * SECURITY UPDATE: cookie injection for other servers + - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in + lib/cookie.c. + - CVE-2016-8615 + * SECURITY UPDATE: case insensitive password comparison + - debian/patches/CVE-2016-8616.patch: use case sensitive user/password + comparisons in lib/url.c. + - CVE-2016-8616 + * SECURITY UPDATE: OOB write via unchecked multiplication + - debian/patches/CVE-2016-8617.patch: check for integer overflow on + large input in lib/base64.c. + - CVE-2016-8617 + * SECURITY UPDATE: double-free in curl_maprintf + - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing + allocation in lib/mprintf.c. + - CVE-2016-8618 + * SECURITY UPDATE: double-free in krb5 code + - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c. + - CVE-2016-8619 + * SECURITY UPDATE: glob parser write/read out of bounds + - debian/patches/CVE-2016-8620.patch: stay within bounds in + src/tool_urlglob.c. + - CVE-2016-8620 + * SECURITY UPDATE: curl_getdate read out of bounds + - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in + lib/parsedate.c, added tests to tests/data/test517, + tests/libtest/lib517.c. + - CVE-2016-8621 + * SECURITY UPDATE: URL unescape heap overflow via integer truncation + - debian/patches/CVE-2016-8622.patch: avoid integer overflow in + lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3. + - CVE-2016-8622 + * SECURITY UPDATE: Use-after-free via shared cookies + - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies + in lib/cookie.c, lib/cookie.h, lib/http.c. + - CVE-2016-8623 + * SECURITY UPDATE: invalid URL parsing with # + - debian/patches/CVE-2016-8624.patch: accept # as end of host name in + lib/url.c. + - CVE-2016-8624 + + -- Marc Deslauriers Wed, 02 Nov 2016 14:24:49 -0400 + curl (7.47.0-1ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: TLS session resumption client cert bypass diff -Nru curl-7.47.0/debian/patches/CVE-2016-7141.patch curl-7.47.0/debian/patches/CVE-2016-7141.patch --- curl-7.47.0/debian/patches/CVE-2016-7141.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-7141.patch 2016-11-02 18:13:58.000000000 +0000 @@ -0,0 +1,41 @@ +Backport of: + +From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 22 Aug 2016 10:24:35 +0200 +Subject: [PATCH] nss: refuse previously loaded certificate from file + +... when we are not asked to use a certificate from file +--- + lib/vtls/nss.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +Index: curl-7.47.0/lib/vtls/nss.c +=================================================================== +--- curl-7.47.0.orig/lib/vtls/nss.c 2016-11-02 14:13:22.036627789 -0400 ++++ curl-7.47.0/lib/vtls/nss.c 2016-11-02 14:13:22.032627765 -0400 +@@ -1010,10 +1010,10 @@ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg; + struct SessionHandle *data = connssl->data; + const char *nickname = connssl->client_nickname; ++ static const char pem_slotname[] = "PEM Token #1"; + + if(connssl->obj_clicert) { + /* use the cert/key provided by PEM reader */ +- static const char pem_slotname[] = "PEM Token #1"; + SECItem cert_der = { 0, NULL, 0 }; + void *proto_win = SSL_RevealPinArg(sock); + struct CERTCertificateStr *cert; +@@ -1075,6 +1075,12 @@ + if(NULL == nickname) + nickname = "[unknown]"; + ++ if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) { ++ failf(data, "NSS: refusing previously loaded certificate from file: %s", ++ nickname); ++ return SECFailure; ++ } ++ + if(NULL == *pRetKey) { + failf(data, "NSS: private key not found for certificate: %s", nickname); + return SECFailure; diff -Nru curl-7.47.0/debian/patches/CVE-2016-7167.patch curl-7.47.0/debian/patches/CVE-2016-7167.patch --- curl-7.47.0/debian/patches/CVE-2016-7167.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-7167.patch 2016-11-02 18:16:46.000000000 +0000 @@ -0,0 +1,65 @@ +Backport of: + +From bf0bb3849422c043f21f56fae57c1cf85e41a272 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 8 Sep 2016 22:59:54 +0200 +Subject: [PATCH] CVE-2016-7167: deny negative string length inputs + +Bug: https://curl.haxx.se/docs/adv_20160914.html +--- + lib/escape.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +Index: curl-7.47.0/lib/escape.c +=================================================================== +--- curl-7.47.0.orig/lib/escape.c 2016-11-02 14:14:12.532915458 -0400 ++++ curl-7.47.0/lib/escape.c 2016-11-02 14:15:23.621320437 -0400 +@@ -78,15 +78,21 @@ + + char *curl_easy_escape(CURL *handle, const char *string, int inlength) + { +- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; ++ size_t alloc; + char *ns; + char *testing_ptr = NULL; + unsigned char in; /* we need to treat the characters unsigned */ +- size_t newlen = alloc; ++ size_t newlen; + size_t strindex=0; + size_t length; + CURLcode result; + ++ if(inlength < 0) ++ return NULL; ++ ++ alloc = (inlength?(size_t)inlength:strlen(string))+1; ++ newlen = alloc; ++ + ns = malloc(alloc); + if(!ns) + return NULL; +@@ -211,14 +217,16 @@ + int *olen) + { + char *str = NULL; +- size_t inputlen = length; +- size_t outputlen; +- CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, +- FALSE); +- if(res) +- return NULL; +- if(olen) +- *olen = curlx_uztosi(outputlen); ++ if(length >= 0) { ++ size_t inputlen = length; ++ size_t outputlen; ++ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, ++ FALSE); ++ if(res) ++ return NULL; ++ if(olen) ++ *olen = curlx_uztosi(outputlen); ++ } + return str; + } + diff -Nru curl-7.47.0/debian/patches/CVE-2016-8615.patch curl-7.47.0/debian/patches/CVE-2016-8615.patch --- curl-7.47.0/debian/patches/CVE-2016-8615.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8615.patch 2016-11-02 18:17:01.000000000 +0000 @@ -0,0 +1,64 @@ +From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Sep 2016 17:36:19 +0200 +Subject: [PATCH] cookie: replace use of fgets() with custom version + +... that will ignore lines that are too long to fit in the buffer. + +CVE-2016-8615 + +Bug: https://curl.haxx.se/docs/adv_20161102A.html +Reported-by: Cure53 +--- + lib/cookie.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +Index: curl-7.47.0/lib/cookie.c +=================================================================== +--- curl-7.47.0.orig/lib/cookie.c 2016-11-02 14:16:59.141864602 -0400 ++++ curl-7.47.0/lib/cookie.c 2016-11-02 14:16:59.141864602 -0400 +@@ -890,6 +890,35 @@ + return co; + } + ++/* ++ * get_line() makes sure to only return complete whole lines that fit in 'len' ++ * bytes and end with a newline. ++ */ ++static char *get_line(char *buf, int len, FILE *input) ++{ ++ bool partial = FALSE; ++ while(1) { ++ char *b = fgets(buf, len, input); ++ if(b) { ++ size_t rlen = strlen(b); ++ if(rlen && (b[rlen-1] == '\n')) { ++ if(partial) { ++ partial = FALSE; ++ continue; ++ } ++ return b; ++ } ++ else ++ /* read a partial, discard the next piece that ends with newline */ ++ partial = TRUE; ++ } ++ else ++ break; ++ } ++ return NULL; ++} ++ ++ + /***************************************************************************** + * + * Curl_cookie_init() +@@ -946,7 +975,7 @@ + line = malloc(MAX_COOKIE_LINE); + if(!line) + goto fail; +- while(fgets(line, MAX_COOKIE_LINE, fp)) { ++ while(get_line(line, MAX_COOKIE_LINE, fp)) { + if(checkprefix("Set-Cookie:", line)) { + /* This is a cookie line, get it! */ + lineptr=&line[11]; diff -Nru curl-7.47.0/debian/patches/CVE-2016-8616.patch curl-7.47.0/debian/patches/CVE-2016-8616.patch --- curl-7.47.0/debian/patches/CVE-2016-8616.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8616.patch 2016-11-02 18:18:36.000000000 +0000 @@ -0,0 +1,53 @@ +Backport of: + +From cef510beb222ab5750afcac2c74fcbcdc31ada64 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Sep 2016 18:01:53 +0200 +Subject: [PATCH] connectionexists: use case sensitive user/password + comparisons + +CVE-2016-8616 + +Bug: https://curl.haxx.se/docs/adv_20161102B.html +Reported-by: Cure53 +--- + lib/url.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +Index: curl-7.47.0/lib/url.c +=================================================================== +--- curl-7.47.0.orig/lib/url.c 2016-11-02 14:17:07.757913686 -0400 ++++ curl-7.47.0/lib/url.c 2016-11-02 14:18:13.854290226 -0400 +@@ -3305,8 +3305,8 @@ + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ +- if(!strequal(needle->user, check->user) || +- !strequal(needle->passwd, check->passwd)) { ++ if(strcmp(needle->user, check->user) || ++ strcmp(needle->passwd, check->passwd)) { + /* one of them was different */ + continue; + } +@@ -3369,8 +3369,8 @@ + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(!strequal(needle->user, check->user) || +- !strequal(needle->passwd, check->passwd)) ++ if(strcmp(needle->user, check->user) || ++ strcmp(needle->passwd, check->passwd)) + continue; + } + else if(check->ntlm.state != NTLMSTATE_NONE) { +@@ -3380,8 +3380,8 @@ + + /* Same for Proxy NTLM authentication */ + if(wantProxyNTLMhttp) { +- if(!strequal(needle->proxyuser, check->proxyuser) || +- !strequal(needle->proxypasswd, check->proxypasswd)) ++ if(strcmp(needle->proxyuser, check->proxyuser) || ++ strcmp(needle->proxypasswd, check->proxypasswd)) + continue; + } + else if(check->proxyntlm.state != NTLMSTATE_NONE) { diff -Nru curl-7.47.0/debian/patches/CVE-2016-8617.patch curl-7.47.0/debian/patches/CVE-2016-8617.patch --- curl-7.47.0/debian/patches/CVE-2016-8617.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8617.patch 2016-11-02 18:19:52.000000000 +0000 @@ -0,0 +1,31 @@ +Backport of: + +From 3599341dd611303ee9544839d30f603f606d1082 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 28 Sep 2016 00:05:12 +0200 +Subject: [PATCH] base64: check for integer overflow on large input + +CVE-2016-8617 + +Bug: https://curl.haxx.se/docs/adv_20161102C.html +Reported-by: Cure53 +--- + lib/base64.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: curl-7.47.0/lib/base64.c +=================================================================== +--- curl-7.47.0.orig/lib/base64.c 2016-11-02 14:19:09.414606744 -0400 ++++ curl-7.47.0/lib/base64.c 2016-11-02 14:19:37.702767897 -0400 +@@ -190,6 +190,11 @@ + if(0 == insize) + insize = strlen(indata); + ++#if SIZEOF_SIZE_T == 4 ++ if(insize > UINT_MAX/4) ++ return CURLE_OUT_OF_MEMORY; ++#endif ++ + base64data = output = malloc(insize*4/3+4); + if(NULL == output) + return CURLE_OUT_OF_MEMORY; diff -Nru curl-7.47.0/debian/patches/CVE-2016-8618.patch curl-7.47.0/debian/patches/CVE-2016-8618.patch --- curl-7.47.0/debian/patches/CVE-2016-8618.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8618.patch 2016-11-02 18:20:03.000000000 +0000 @@ -0,0 +1,43 @@ +From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 28 Sep 2016 10:15:34 +0200 +Subject: [PATCH] aprintf: detect wrap-around when growing allocation + +On 32bit systems we could otherwise wrap around after 2GB and allocate 0 +bytes and crash. + +CVE-2016-8618 + +Bug: https://curl.haxx.se/docs/adv_20161102D.html +Reported-by: Cure53 +--- + lib/mprintf.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +Index: curl-7.47.0/lib/mprintf.c +=================================================================== +--- curl-7.47.0.orig/lib/mprintf.c 2016-11-02 14:20:01.578903915 -0400 ++++ curl-7.47.0/lib/mprintf.c 2016-11-02 14:20:01.574903893 -0400 +@@ -1011,16 +1011,19 @@ + infop->len =0; + } + else if(infop->len+1 >= infop->alloc) { +- char *newptr; ++ char *newptr = NULL; ++ size_t newsize = infop->alloc*2; + +- newptr = realloc(infop->buffer, infop->alloc*2); ++ /* detect wrap-around or other overflow problems */ ++ if(newsize > infop->alloc) ++ newptr = realloc(infop->buffer, newsize); + + if(!newptr) { + infop->fail = 1; + return -1; /* fail */ + } + infop->buffer = newptr; +- infop->alloc *= 2; ++ infop->alloc = newsize; + } + + infop->buffer[ infop->len ] = outc; diff -Nru curl-7.47.0/debian/patches/CVE-2016-8619.patch curl-7.47.0/debian/patches/CVE-2016-8619.patch --- curl-7.47.0/debian/patches/CVE-2016-8619.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8619.patch 2016-11-02 18:20:06.000000000 +0000 @@ -0,0 +1,50 @@ +From 91239f7040b1f026d4d15765e7e3f58e92e93761 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 28 Sep 2016 12:56:02 +0200 +Subject: [PATCH] krb5: avoid realloc(0) + +If the requested size is zero, bail out with error instead of doing a +realloc() that would cause a double-free: realloc(0) acts as a free() +and then there's a second free in the cleanup path. + +CVE-2016-8619 + +Bug: https://curl.haxx.se/docs/adv_20161102E.html +Reported-by: Cure53 +--- + lib/security.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/lib/security.c b/lib/security.c +index a268d4a..4cef8f8 100644 +--- a/lib/security.c ++++ b/lib/security.c +@@ -190,19 +190,22 @@ socket_write(struct connectdata *conn, curl_socket_t fd, const void *to, + static CURLcode read_data(struct connectdata *conn, + curl_socket_t fd, + struct krb5buffer *buf) + { + int len; +- void* tmp; ++ void *tmp = NULL; + CURLcode result; + + result = socket_read(fd, &len, sizeof(len)); + if(result) + return result; + +- len = ntohl(len); +- tmp = realloc(buf->data, len); ++ if(len) { ++ /* only realloc if there was a length */ ++ len = ntohl(len); ++ tmp = realloc(buf->data, len); ++ } + if(tmp == NULL) + return CURLE_OUT_OF_MEMORY; + + buf->data = tmp; + result = socket_read(fd, buf->data, len); +-- +2.9.3 + diff -Nru curl-7.47.0/debian/patches/CVE-2016-8620.patch curl-7.47.0/debian/patches/CVE-2016-8620.patch --- curl-7.47.0/debian/patches/CVE-2016-8620.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8620.patch 2016-11-02 18:20:52.000000000 +0000 @@ -0,0 +1,157 @@ +Backport of: + +From 52f3e1d1092c81a4f574c9fc6cb3818b88434c8d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 3 Oct 2016 17:27:16 +0200 +Subject: [PATCH 1/3] range: prevent negative end number in a glob range +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2016-8620 + +Bug: https://curl.haxx.se/docs/adv_20161102F.html +Reported-by: Luật Nguyễn + +From e97ebe97c2b53d3617c1f4082a2aaa4f1b593ef9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 3 Oct 2016 18:23:22 +0200 +Subject: [PATCH 2/3] glob_next_url: make sure to stay within the given output + buffer + +From 9ce377051290c83176f235b526b87904cad6b388 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2016 17:25:09 +0200 +Subject: [PATCH 3/3] range: reject char globs with missing end like '[L-]' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... which previously would lead to out of boundary reads. + +Reported-by: Luật Nguyễn + +Index: curl-7.47.0/src/tool_urlglob.c +=================================================================== +--- curl-7.47.0.orig/src/tool_urlglob.c 2016-11-02 14:20:12.322965123 -0400 ++++ curl-7.47.0/src/tool_urlglob.c 2016-11-02 14:20:12.322965123 -0400 +@@ -186,32 +186,36 @@ + /* character range detected */ + char min_c; + char max_c; ++ char end_c; + int step=1; + + pat->type = UPTCharRange; + +- rc = sscanf(pattern, "%c-%c", &min_c, &max_c); ++ rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c); + +- if((rc == 2) && (pattern[3] == ':')) { +- char *endp; +- unsigned long lstep; +- errno = 0; +- lstep = strtoul(&pattern[4], &endp, 10); +- if(errno || (*endp != ']')) +- step = -1; +- else { +- pattern = endp+1; +- step = (int)lstep; +- if(step > (max_c - min_c)) ++ if(rc == 3) { ++ if(end_c == ':') { ++ char *endp; ++ unsigned long lstep; ++ errno = 0; ++ lstep = strtoul(&pattern[4], &endp, 10); ++ if(errno || (*endp != ']')) + step = -1; ++ else { ++ pattern = endp+1; ++ step = (int)lstep; ++ if(step > (max_c - min_c)) ++ step = -1; ++ } + } ++ else if(end_c != ']') ++ /* then this is wrong */ ++ rc = 0; + } +- else +- pattern += 4; + + *posp += (pattern - *patternp); + +- if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || ++ if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || + (step <= 0) ) + /* the pattern is not well-formed */ + return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT); +@@ -255,6 +259,12 @@ + endp = NULL; + else { + pattern = endp+1; ++ while(*pattern && ISBLANK(*pattern)) ++ pattern++; ++ if(!ISDIGIT(*pattern)) { ++ endp = NULL; ++ goto fail; ++ } + errno = 0; + max_n = strtoul(pattern, &endp, 10); + if(errno || (*endp == ':')) { +@@ -275,6 +285,7 @@ + } + } + ++ fail: + *posp += (pattern - *patternp); + + if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || +@@ -423,6 +434,7 @@ + glob_buffer = malloc(strlen(url) + 1); + if(!glob_buffer) + return CURLE_OUT_OF_MEMORY; ++ glob_buffer[0]=0; + + glob_expand = calloc(1, sizeof(URLGlob)); + if(!glob_expand) { +@@ -540,20 +552,25 @@ + switch(pat->type) { + case UPTSet: + if(pat->content.Set.elements) { +- len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]); + snprintf(buf, buflen, "%s", + pat->content.Set.elements[pat->content.Set.ptr_s]); ++ len = strlen(buf); + buf += len; + buflen -= len; + } + break; + case UPTCharRange: +- *buf++ = pat->content.CharRange.ptr_c; ++ if(buflen) { ++ *buf++ = pat->content.CharRange.ptr_c; ++ *buf = '\0'; ++ buflen--; ++ } + break; + case UPTNumRange: +- len = snprintf(buf, buflen, "%0*ld", +- pat->content.NumRange.padlength, +- pat->content.NumRange.ptr_n); ++ snprintf(buf, buflen, "%0*ld", ++ pat->content.NumRange.padlength, ++ pat->content.NumRange.ptr_n); ++ len = strlen(buf); + buf += len; + buflen -= len; + break; +@@ -562,7 +579,6 @@ + return CURLE_FAILED_INIT; + } + } +- *buf = '\0'; + + *globbed = strdup(glob->glob_buffer); + if(!*globbed) diff -Nru curl-7.47.0/debian/patches/CVE-2016-8621.patch curl-7.47.0/debian/patches/CVE-2016-8621.patch --- curl-7.47.0/debian/patches/CVE-2016-8621.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8621.patch 2016-11-02 18:21:43.000000000 +0000 @@ -0,0 +1,100 @@ +Backport of: + +From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2016 16:59:38 +0200 +Subject: [PATCH] parsedate: handle cut off numbers better +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... and don't read outside of the given buffer! + +CVE-2016-8621 + +bug: https://curl.haxx.se/docs/adv_20161102G.html +Reported-by: Luật Nguyễn +--- + lib/parsedate.c | 12 +++++++----- + tests/data/test517 | 6 ++++++ + tests/libtest/lib517.c | 8 +++++++- + 3 files changed, 20 insertions(+), 6 deletions(-) + +Index: curl-7.47.0/lib/parsedate.c +=================================================================== +--- curl-7.47.0.orig/lib/parsedate.c 2016-11-02 14:21:02.103248713 -0400 ++++ curl-7.47.0/lib/parsedate.c 2016-11-02 14:21:02.091248644 -0400 +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -386,15 +386,17 @@ + /* a digit */ + int val; + char *end; ++ int len=0; + if((secnum == -1) && +- (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) { ++ (3 == sscanf(date, "%02d:%02d:%02d%n", ++ &hournum, &minnum, &secnum, &len))) { + /* time stamp! */ +- date += 8; ++ date += len; + } + else if((secnum == -1) && +- (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) { ++ (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) { + /* time stamp without seconds */ +- date += 5; ++ date += len; + secnum = 0; + } + else { +Index: curl-7.47.0/tests/data/test517 +=================================================================== +--- curl-7.47.0.orig/tests/data/test517 2016-11-02 14:21:02.103248713 -0400 ++++ curl-7.47.0/tests/data/test517 2016-11-02 14:21:02.103248713 -0400 +@@ -116,6 +116,12 @@ + 81: 20111323 12:34:56 => -1 + 82: 20110623 12:34:79 => -1 + 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000 ++84: 20110623 12:3 => 1308830580 ++85: 20110623 1:3 => 1308790980 ++86: 20110623 1:30 => 1308792600 ++87: 20110623 12:12:3 => 1308831123 ++88: 20110623 01:12:3 => 1308791523 ++89: 20110623 01:99:30 => -1 + + + # This test case previously tested an overflow case ("2094 Nov 6 => +Index: curl-7.47.0/tests/libtest/lib517.c +=================================================================== +--- curl-7.47.0.orig/tests/libtest/lib517.c 2016-11-02 14:21:02.103248713 -0400 ++++ curl-7.47.0/tests/libtest/lib517.c 2016-11-02 14:21:02.103248713 -0400 +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -116,6 +116,12 @@ + "20111323 12:34:56", + "20110623 12:34:79", + "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */ ++ "20110623 12:3", ++ "20110623 1:3", ++ "20110623 1:30", ++ "20110623 12:12:3", ++ "20110623 01:12:3", ++ "20110623 01:99:30", + NULL + }; + diff -Nru curl-7.47.0/debian/patches/CVE-2016-8622.patch curl-7.47.0/debian/patches/CVE-2016-8622.patch --- curl-7.47.0/debian/patches/CVE-2016-8622.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8622.patch 2016-11-02 18:22:28.000000000 +0000 @@ -0,0 +1,101 @@ +Backport of: + +From 71da91453899ba20b28ee9712620e323145a0ee5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2016 18:56:45 +0200 +Subject: [PATCH] unescape: avoid integer overflow + +CVE-2016-8622 + +Bug: https://curl.haxx.se/docs/adv_20161102H.html +Reported-by: Cure53 +--- + docs/libcurl/curl_easy_unescape.3 | 7 +++++-- + lib/dict.c | 10 +++++----- + lib/escape.c | 10 ++++++++-- + 3 files changed, 18 insertions(+), 9 deletions(-) + +Index: curl-7.47.0/docs/libcurl/curl_easy_unescape.3 +=================================================================== +--- curl-7.47.0.orig/docs/libcurl/curl_easy_unescape.3 2016-11-02 14:21:52.043533214 -0400 ++++ curl-7.47.0/docs/libcurl/curl_easy_unescape.3 2016-11-02 14:21:52.043533214 -0400 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. ++.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -40,7 +40,10 @@ + + If \fBoutlength\fP is non-NULL, the function will write the length of the + returned string in the integer it points to. This allows an escaped string +-containing %00 to still get used properly after unescaping. ++containing %00 to still get used properly after unescaping. Since this is a ++pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no ++longer string can be unescaped if the string length is returned in this ++parameter. + + You must \fIcurl_free(3)\fP the returned string when you're done with it. + .SH AVAILABILITY +Index: curl-7.47.0/lib/dict.c +=================================================================== +--- curl-7.47.0.orig/lib/dict.c 2016-11-02 14:21:52.043533214 -0400 ++++ curl-7.47.0/lib/dict.c 2016-11-02 14:21:52.043533214 -0400 +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -52,7 +52,7 @@ + #include + #include "transfer.h" + #include "sendf.h" +- ++#include "escape.h" + #include "progress.h" + #include "strequal.h" + #include "dict.h" +@@ -96,12 +96,12 @@ + char *newp; + char *dictp; + char *ptr; +- int len; ++ size_t len; + char ch; + int olen=0; + +- newp = curl_easy_unescape(data, inputbuff, 0, &len); +- if(!newp) ++ CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE); ++ if(!newp || result) + return NULL; + + dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ +Index: curl-7.47.0/lib/escape.c +=================================================================== +--- curl-7.47.0.orig/lib/escape.c 2016-11-02 14:21:52.043533214 -0400 ++++ curl-7.47.0/lib/escape.c 2016-11-02 14:21:52.043533214 -0400 +@@ -224,8 +224,14 @@ + FALSE); + if(res) + return NULL; +- if(olen) +- *olen = curlx_uztosi(outputlen); ++ ++ if(olen) { ++ if(outputlen <= (size_t) INT_MAX) ++ *olen = curlx_uztosi(outputlen); ++ else ++ /* too large to return in an int, fail! */ ++ Curl_safefree(str); ++ } + } + return str; + } diff -Nru curl-7.47.0/debian/patches/CVE-2016-8623.patch curl-7.47.0/debian/patches/CVE-2016-8623.patch --- curl-7.47.0/debian/patches/CVE-2016-8623.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8623.patch 2016-11-02 18:22:40.000000000 +0000 @@ -0,0 +1,168 @@ +From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2016 23:26:13 +0200 +Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies + +Previously it only held references to them, which was reckless as the +thread lock was released so the cookies could get modified by other +handles that share the same cookie jar over the share interface. + +CVE-2016-8623 + +Bug: https://curl.haxx.se/docs/adv_20161102I.html +Reported-by: Cure53 +--- + lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++--------------------- + lib/cookie.h | 4 ++-- + lib/http.c | 2 +- + 3 files changed, 43 insertions(+), 24 deletions(-) + +Index: curl-7.47.0/lib/cookie.c +=================================================================== +--- curl-7.47.0.orig/lib/cookie.c 2016-11-02 14:22:37.807793925 -0400 ++++ curl-7.47.0/lib/cookie.c 2016-11-02 14:22:37.803793903 -0400 +@@ -1040,6 +1040,40 @@ + return 0; + } + ++#define CLONE(field) \ ++ do { \ ++ if(src->field) { \ ++ dup->field = strdup(src->field); \ ++ if(!dup->field) \ ++ goto fail; \ ++ } \ ++ } while(0) ++ ++static struct Cookie *dup_cookie(struct Cookie *src) ++{ ++ struct Cookie *dup = calloc(sizeof(struct Cookie), 1); ++ if(dup) { ++ CLONE(expirestr); ++ CLONE(domain); ++ CLONE(path); ++ CLONE(spath); ++ CLONE(name); ++ CLONE(value); ++ CLONE(maxage); ++ CLONE(version); ++ dup->expires = src->expires; ++ dup->tailmatch = src->tailmatch; ++ dup->secure = src->secure; ++ dup->livecookie = src->livecookie; ++ dup->httponly = src->httponly; ++ } ++ return dup; ++ ++ fail: ++ freecookie(dup); ++ return NULL; ++} ++ + /***************************************************************************** + * + * Curl_cookie_getlist() +@@ -1095,11 +1129,8 @@ + /* and now, we know this is a match and we should create an + entry for the return-linked-list */ + +- newco = malloc(sizeof(struct Cookie)); ++ newco = dup_cookie(co); + if(newco) { +- /* first, copy the whole source cookie: */ +- memcpy(newco, co, sizeof(struct Cookie)); +- + /* then modify our next */ + newco->next = mainco; + +@@ -1111,12 +1142,7 @@ + else { + fail: + /* failure, clear up the allocated chain and return NULL */ +- while(mainco) { +- co = mainco->next; +- free(mainco); +- mainco = co; +- } +- ++ Curl_cookie_freelist(mainco); + return NULL; + } + } +@@ -1168,7 +1194,7 @@ + void Curl_cookie_clearall(struct CookieInfo *cookies) + { + if(cookies) { +- Curl_cookie_freelist(cookies->cookies, TRUE); ++ Curl_cookie_freelist(cookies->cookies); + cookies->cookies = NULL; + cookies->numcookies = 0; + } +@@ -1180,21 +1206,14 @@ + * + * Free a list of cookies previously returned by Curl_cookie_getlist(); + * +- * The 'cookiestoo' argument tells this function whether to just free the +- * list or actually also free all cookies within the list as well. +- * + ****************************************************************************/ + +-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo) ++void Curl_cookie_freelist(struct Cookie *co) + { + struct Cookie *next; + while(co) { + next = co->next; +- if(cookiestoo) +- freecookie(co); +- else +- free(co); /* we only free the struct since the "members" are all just +- pointed out in the main cookie list! */ ++ freecookie(co); + co = next; + } + } +@@ -1249,7 +1268,7 @@ + { + if(c) { + free(c->filename); +- Curl_cookie_freelist(c->cookies, TRUE); ++ Curl_cookie_freelist(c->cookies); + free(c); /* free the base struct as well */ + } + } +Index: curl-7.47.0/lib/cookie.h +=================================================================== +--- curl-7.47.0.orig/lib/cookie.h 2016-11-02 14:22:37.807793925 -0400 ++++ curl-7.47.0/lib/cookie.h 2016-11-02 14:22:37.803793903 -0400 +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -82,7 +82,7 @@ + + struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *, + const char *, bool); +-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo); ++void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); + void Curl_cookie_clearsess(struct CookieInfo *cookies); + +Index: curl-7.47.0/lib/http.c +=================================================================== +--- curl-7.47.0.orig/lib/http.c 2016-11-02 14:22:37.807793925 -0400 ++++ curl-7.47.0/lib/http.c 2016-11-02 14:22:37.803793903 -0400 +@@ -2384,7 +2384,7 @@ + } + co = co->next; /* next cookie please */ + } +- Curl_cookie_freelist(store, FALSE); /* free the cookie list */ ++ Curl_cookie_freelist(store); + } + if(addcookies && !result) { + if(!count) diff -Nru curl-7.47.0/debian/patches/CVE-2016-8624.patch curl-7.47.0/debian/patches/CVE-2016-8624.patch --- curl-7.47.0/debian/patches/CVE-2016-8624.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-8624.patch 2016-11-02 18:24:20.000000000 +0000 @@ -0,0 +1,57 @@ +Backport of: + +From 6604d4df30aec66db6f5bd51ee3c341dd7329fcf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 11 Oct 2016 00:48:35 +0200 +Subject: [PATCH] urlparse: accept '#' as end of host name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +'http://example.com#@127.0.0.1/x.txt' equals a request to example.com +for the '/' document with the rest of the URL being a fragment. + +CVE-2016-8624 + +Bug: https://curl.haxx.se/docs/adv_20161102J.html +Reported-by: Fernando Muñoz +--- + lib/url.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +Index: curl-7.47.0/lib/url.c +=================================================================== +--- curl-7.47.0.orig/lib/url.c 2016-11-02 14:22:47.155847180 -0400 ++++ curl-7.47.0/lib/url.c 2016-11-02 14:24:05.428293085 -0400 +@@ -4086,7 +4086,7 @@ + path[0]=0; + + if(2 > sscanf(data->change.url, +- "%15[^\n:]://%[^\n/?]%[^\n]", ++ "%15[^\n:]://%[^\n/?#]%[^\n]", + protobuf, + conn->host.name, path)) { + +@@ -4094,7 +4094,7 @@ + * The URL was badly formatted, let's try the browser-style _without_ + * protocol specified like 'http://'. + */ +- rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path); ++ rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path); + if(1 > rc) { + /* + * We couldn't even get this format. +@@ -4184,10 +4184,10 @@ + } + + /* If the URL is malformatted (missing a '/' after hostname before path) we +- * insert a slash here. The only letter except '/' we accept to start a path +- * is '?'. ++ * insert a slash here. The only letters except '/' that can start a path is ++ * '?' and '#' - as controlled by the two sscanf() patterns above. + */ +- if(path[0] == '?') { ++ if(path[0] != '/') { + /* We need this function to deal with overlapping memory areas. We know + that the memory area 'path' points to is 'urllen' bytes big and that + is bigger than the path. Use +1 to move the zero byte too. */ diff -Nru curl-7.47.0/debian/patches/CVE-2016-9586.patch curl-7.47.0/debian/patches/CVE-2016-9586.patch --- curl-7.47.0/debian/patches/CVE-2016-9586.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2016-9586.patch 2017-10-04 18:58:09.000000000 +0000 @@ -0,0 +1,244 @@ +Backport of: + +From 3ab3c16db6a5674f53cf23d56512a405fde0b2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 8 Nov 2016 15:32:37 +0100 +Subject: [PATCH] printf: fix floating point buffer overflow issues + +... and add a bunch of floating point printf tests +--- + lib/mprintf.c | 20 +++++++- + tests/data/test557 | 1 + + tests/libtest/lib557.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++-- + 3 files changed, 152 insertions(+), 5 deletions(-) + +Index: curl-7.47.0/lib/mprintf.c +=================================================================== +--- curl-7.47.0.orig/lib/mprintf.c 2017-10-04 14:57:52.517665497 -0400 ++++ curl-7.47.0/lib/mprintf.c 2017-10-04 14:58:06.221841347 -0400 +@@ -97,7 +97,8 @@ + # define mp_uintmax_t unsigned long + #endif + +-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */ ++#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should ++ fit negative DBL_MAX (317 letters) */ + #define MAX_PARAMETERS 128 /* lame static limit */ + + #ifdef __AMIGA__ +@@ -306,7 +307,6 @@ static long dprintf_Pass1(const char *fo + flags |= FLAGS_ALT; + break; + case '.': +- flags |= FLAGS_PREC; + if('*' == *fmt) { + /* The precision is picked from a specified parameter */ + +@@ -892,12 +892,25 @@ static int dprintf_formatf( + *fptr = 0; + + if(width >= 0) { ++ if(width >= (long)sizeof(work)) ++ width = sizeof(work)-1; + /* RECURSIVE USAGE */ + len = curl_msnprintf(fptr, left, "%ld", width); + fptr += len; + left -= len; + } + if(prec >= 0) { ++ /* for each digit in the integer part, we can have one less ++ precision */ ++ size_t maxprec = sizeof(work) - 2; ++ double val = p->data.dnum; ++ while(val >= 10.0) { ++ val /= 10; ++ maxprec--; ++ } ++ ++ if(prec > (long)maxprec) ++ prec = maxprec-1; + /* RECURSIVE USAGE */ + len = curl_msnprintf(fptr, left, ".%ld", prec); + fptr += len; +@@ -917,7 +930,9 @@ static int dprintf_formatf( + /* NOTE NOTE NOTE!! Not all sprintf implementations return number of + output characters */ + (sprintf)(work, formatbuf, p->data.dnum); +- ++#ifdef CURLDEBUG ++ assert(strlen(work) <= sizeof(work)); ++#endif + for(fptr=work; *fptr; fptr++) + OUTCHAR(*fptr); + } +Index: curl-7.47.0/tests/data/test557 +=================================================================== +--- curl-7.47.0.orig/tests/data/test557 2017-10-04 14:57:52.517665497 -0400 ++++ curl-7.47.0/tests/data/test557 2017-10-04 14:57:52.517665497 -0400 +@@ -39,6 +39,7 @@ All curl_mprintf() signed int tests OK! + All curl_mprintf() unsigned long tests OK! + All curl_mprintf() signed long tests OK! + All curl_mprintf() curl_off_t tests OK! ++All float strings tests OK! + + + +Index: curl-7.47.0/tests/libtest/lib557.c +=================================================================== +--- curl-7.47.0.orig/tests/libtest/lib557.c 2017-10-04 14:57:52.517665497 -0400 ++++ curl-7.47.0/tests/libtest/lib557.c 2017-10-04 14:57:52.517665497 -0400 +@@ -1371,6 +1371,145 @@ static int test_curl_off_t_formatting(vo + return failed; + } + ++static int _string_check(int linenumber, char *buf, const char *buf2) ++{ ++ if(strcmp(buf, buf2)) { ++ /* they shouldn't differ */ ++ printf("sprintf line %d failed:\nwe '%s'\nsystem: '%s'\n", ++ linenumber, buf, buf2); ++ return 1; ++ } ++ return 0; ++} ++#define string_check(x,y) _string_check(__LINE__, x, y) ++ ++static int _strlen_check(int linenumber, char *buf, size_t len) ++{ ++ size_t buflen = strlen(buf); ++ if(len != buflen) { ++ /* they shouldn't differ */ ++ printf("sprintf strlen:%d failed:\nwe '%d'\nsystem: '%d'\n", ++ linenumber, buflen, len); ++ return 1; ++ } ++ return 0; ++} ++ ++#define strlen_check(x,y) _strlen_check(__LINE__, x, y) ++ ++/* DBL_MAX value from Linux */ ++#define MAXIMIZE -1.7976931348623157081452E+308 ++ ++static int test_float_formatting(void) ++{ ++ int errors = 0; ++ char buf[512]; /* larger than max float size */ ++ curl_msnprintf(buf, sizeof(buf), "%f", 9.0); ++ errors += string_check(buf, "9.000000"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%.1f", 9.1); ++ errors += string_check(buf, "9.1"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%.2f", 9.1); ++ errors += string_check(buf, "9.10"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%.0f", 9.1); ++ errors += string_check(buf, "9"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%0f", 9.1); ++ errors += string_check(buf, "9.100000"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%10f", 9.1); ++ errors += string_check(buf, " 9.100000"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%10.3f", 9.1); ++ errors += string_check(buf, " 9.100"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%-10.3f", 9.1); ++ errors += string_check(buf, "9.100 "); ++ ++ curl_msnprintf(buf, sizeof(buf), "%-10.3f", 9.123456); ++ errors += string_check(buf, "9.123 "); ++ ++ curl_msnprintf(buf, sizeof(buf), "%.-2f", 9.1); ++ errors += string_check(buf, "9.100000"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%*f", 10, 9.1); ++ errors += string_check(buf, " 9.100000"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%*f", 3, 9.1); ++ errors += string_check(buf, "9.100000"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.2987654); ++ errors += string_check(buf, "9.298765"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.298765); ++ errors += string_check(buf, "9.298765"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.29876); ++ errors += string_check(buf, "9.298760"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%.*f", 6, 9.2987654); ++ errors += string_check(buf, "9.298765"); ++ curl_msnprintf(buf, sizeof(buf), "%.*f", 5, 9.2987654); ++ errors += string_check(buf, "9.29877"); ++ curl_msnprintf(buf, sizeof(buf), "%.*f", 4, 9.2987654); ++ errors += string_check(buf, "9.2988"); ++ curl_msnprintf(buf, sizeof(buf), "%.*f", 3, 9.2987654); ++ errors += string_check(buf, "9.299"); ++ curl_msnprintf(buf, sizeof(buf), "%.*f", 2, 9.2987654); ++ errors += string_check(buf, "9.30"); ++ curl_msnprintf(buf, sizeof(buf), "%.*f", 1, 9.2987654); ++ errors += string_check(buf, "9.3"); ++ curl_msnprintf(buf, sizeof(buf), "%.*f", 0, 9.2987654); ++ errors += string_check(buf, "9"); ++ ++ /* very large precisions easily turn into system specific outputs so we only ++ check the output buffer length here as we know the internal limit */ ++ ++ curl_msnprintf(buf, sizeof(buf), "%.*f", (1<<30), 9.2987654); ++ errors += strlen_check(buf, 325); ++ ++ curl_msnprintf(buf, sizeof(buf), "%10000.10000f", 9.2987654); ++ errors += strlen_check(buf, 325); ++ ++ curl_msnprintf(buf, sizeof(buf), "%240.10000f", ++ 123456789123456789123456789.2987654); ++ errors += strlen_check(buf, 325); ++ ++ /* 1<<31 turns negative (-2147483648) when used signed */ ++ curl_msnprintf(buf, sizeof(buf), "%*f", (1<<31), 9.1); ++ errors += string_check(buf, "9.100000"); ++ ++ /* curl_msnprintf() limits a single float output to 325 bytes maximum ++ width */ ++ curl_msnprintf(buf, sizeof(buf), "%*f", (1<<30), 9.1); ++ errors += string_check(buf, " 9.100000"); ++ curl_msnprintf(buf, sizeof(buf), "%100000f", 9.1); ++ errors += string_check(buf, " 9.100000"); ++ ++ curl_msnprintf(buf, sizeof(buf), "%f", MAXIMIZE); ++ errors += strlen_check(buf, 317); ++ ++ curl_msnprintf(buf, 2, "%f", MAXIMIZE); ++ errors += strlen_check(buf, 1); ++ curl_msnprintf(buf, 3, "%f", MAXIMIZE); ++ errors += strlen_check(buf, 2); ++ curl_msnprintf(buf, 4, "%f", MAXIMIZE); ++ errors += strlen_check(buf, 3); ++ curl_msnprintf(buf, 5, "%f", MAXIMIZE); ++ errors += strlen_check(buf, 4); ++ curl_msnprintf(buf, 6, "%f", MAXIMIZE); ++ errors += strlen_check(buf, 5); ++ ++ if(!errors) ++ printf("All float strings tests OK!\n"); ++ else ++ printf("test_float_formatting Failed!\n"); ++ ++ return errors; ++} ++ + + int test(char *URL) + { +@@ -1391,6 +1530,8 @@ int test(char *URL) + + errors += test_curl_off_t_formatting(); + ++ errors += test_float_formatting(); ++ + if(errors) + return TEST_ERR_MAJOR_BAD; + else diff -Nru curl-7.47.0/debian/patches/CVE-2017-1000100.patch curl-7.47.0/debian/patches/CVE-2017-1000100.patch --- curl-7.47.0/debian/patches/CVE-2017-1000100.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2017-1000100.patch 2017-10-04 12:49:00.000000000 +0000 @@ -0,0 +1,36 @@ +Backport of: + +From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:46 +0200 +Subject: [PATCH] tftp: reject file name lengths that don't fit + +... and thereby avoid telling send() to send off more bytes than the +size of the buffer! + +CVE-2017-1000100 + +Bug: https://curl.haxx.se/docs/adv_20170809B.html +Reported-by: Even Rouault + +Credit to OSS-Fuzz for the discovery +--- + lib/tftp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +Index: curl-7.47.0/lib/tftp.c +=================================================================== +--- curl-7.47.0.orig/lib/tftp.c 2017-10-04 08:48:25.119189759 -0400 ++++ curl-7.47.0/lib/tftp.c 2017-10-04 08:48:25.115189708 -0400 +@@ -489,6 +489,11 @@ static CURLcode tftp_send_first(tftp_sta + if(!filename) + return CURLE_OUT_OF_MEMORY; + ++ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { ++ failf(data, "TFTP file name too long\n"); ++ return CURLE_TFTP_ILLEGAL; /* too long file name field */ ++ } ++ + snprintf((char *)state->spacket.data+2, + state->blksize, + "%s%c%s%c", filename, '\0', mode, '\0'); diff -Nru curl-7.47.0/debian/patches/CVE-2017-1000101.patch curl-7.47.0/debian/patches/CVE-2017-1000101.patch --- curl-7.47.0/debian/patches/CVE-2017-1000101.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2017-1000101.patch 2017-10-04 15:19:23.000000000 +0000 @@ -0,0 +1,90 @@ +Backport of: + +From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:07 +0200 +Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow + range + +Added test 1289 to verify. + +CVE-2017-1000101 + +Bug: https://curl.haxx.se/docs/adv_20170809A.html +Reported-by: Brian Carpenter +--- + src/tool_urlglob.c | 5 ++++- + tests/data/Makefile.inc | 2 +- + tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ + 3 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1289 + +Index: curl-7.47.0/src/tool_urlglob.c +=================================================================== +--- curl-7.47.0.orig/src/tool_urlglob.c 2017-10-04 11:18:46.342125489 -0400 ++++ curl-7.47.0/src/tool_urlglob.c 2017-10-04 11:18:46.326125274 -0400 +@@ -267,7 +267,10 @@ static CURLcode glob_range(URLGlob *glob + } + errno = 0; + max_n = strtoul(pattern, &endp, 10); +- if(errno || (*endp == ':')) { ++ if(errno) ++ /* overflow */ ++ endp = NULL; ++ else if(*endp == ':') { + pattern = endp+1; + errno = 0; + step_n = strtoul(pattern, &endp, 10); +Index: curl-7.47.0/tests/data/test1289 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ curl-7.47.0/tests/data/test1289 2017-10-04 11:18:46.338125435 -0400 +@@ -0,0 +1,35 @@ ++ ++ ++ ++HTTP ++HTTP GET ++globbing ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++globbing with overflow and bad syntxx ++ ++ ++http://ur%20[0-60000000000000000000 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++# curl: (3) [globbing] bad range in column ++ ++3 ++ ++ ++ +Index: curl-7.47.0/tests/data/Makefile.inc +=================================================================== +--- curl-7.47.0.orig/tests/data/Makefile.inc 2017-10-04 11:18:35.000000000 -0400 ++++ curl-7.47.0/tests/data/Makefile.inc 2017-10-04 11:19:18.094552865 -0400 +@@ -126,7 +126,7 @@ test1208 test1209 test1210 test1211 test + test1216 test1217 test1218 test1219 \ + test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ + test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ +-test1236 test1237 test1238 test1239 test1240 test1241 \ ++test1236 test1237 test1238 test1239 test1240 test1241 test1289 \ + \ + test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ + test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ diff -Nru curl-7.47.0/debian/patches/CVE-2017-1000254.patch curl-7.47.0/debian/patches/CVE-2017-1000254.patch --- curl-7.47.0/debian/patches/CVE-2017-1000254.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2017-1000254.patch 2017-10-04 12:50:39.000000000 +0000 @@ -0,0 +1,131 @@ +Backport of: + +From 5ff2c5ff25750aba1a8f64fbcad8e5b891512584 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Sep 2017 00:35:22 +0200 +Subject: [PATCH] FTP: zero terminate the entry path even on bad input + +... a single double quote could leave the entry path buffer without a zero +terminating byte. CVE-2017-1000254 + +Test 1152 added to verify. + +Reported-by: Max Dymond +Bug: https://curl.haxx.se/docs/adv_20171004.html +--- + lib/ftp.c | 7 ++++-- + tests/data/Makefile.inc | 1 + + tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1152 + +Index: curl-7.47.0/lib/ftp.c +=================================================================== +--- curl-7.47.0.orig/lib/ftp.c 2017-10-04 08:49:58.552358108 -0400 ++++ curl-7.47.0/lib/ftp.c 2017-10-04 08:49:58.552358108 -0400 +@@ -2885,6 +2885,7 @@ static CURLcode ftp_statemach_act(struct + char *ptr=&data->state.buffer[4]; /* start on the first letter */ + char *dir; + char *store; ++ bool entry_extracted = FALSE; + + dir = malloc(nread + 1); + if(!dir) +@@ -2916,7 +2917,7 @@ static CURLcode ftp_statemach_act(struct + } + else { + /* end of path */ +- *store = '\0'; /* zero terminate */ ++ entry_extracted = TRUE; + break; /* get out of this loop */ + } + } +@@ -2925,7 +2926,9 @@ static CURLcode ftp_statemach_act(struct + store++; + ptr++; + } +- ++ *store = '\0'; /* zero terminate */ ++ } ++ if(entry_extracted) { + /* If the path name does not look like an absolute path (i.e.: it + does not start with a '/'), we probably need some server-dependent + adjustments. For example, this is the case when connecting to +Index: curl-7.47.0/tests/data/Makefile.inc +=================================================================== +--- curl-7.47.0.orig/tests/data/Makefile.inc 2017-10-04 08:49:58.552358108 -0400 ++++ curl-7.47.0/tests/data/Makefile.inc 2017-10-04 08:50:08.068477006 -0400 +@@ -120,6 +120,7 @@ test1112 test1113 test1114 test1115 test + test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ + test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ + test1136 test1137 test1138 \ ++test1152 \ + \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ +Index: curl-7.47.0/tests/data/test1152 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ curl-7.47.0/tests/data/test1152 2017-10-04 08:49:58.552358108 -0400 +@@ -0,0 +1,61 @@ ++ ++ ++ ++FTP ++PASV ++LIST ++ ++ ++# ++# Server-side ++ ++ ++REPLY PWD 257 "just one ++ ++ ++# When doing LIST, we get the default list output hard-coded in the test ++# FTP server ++ ++total 20 ++drwxr-xr-x 8 98 98 512 Oct 22 13:06 . ++drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. ++drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases ++-r--r--r-- 1 0 1 35 Jul 16 1996 README ++lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin ++dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev ++drwxrwxrwx 2 98 98 512 May 29 16:04 download.html ++dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc ++drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub ++dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr ++ ++ ++ ++# ++# Client-side ++ ++ ++ftp ++ ++ ++FTP with uneven quote in PWD response ++ ++ ++ftp://%HOSTIP:%FTPPORT/test-1152/ ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD test-1152 ++EPSV ++TYPE A ++LIST ++QUIT ++ ++ ++ diff -Nru curl-7.47.0/debian/patches/CVE-2017-1000257.patch curl-7.47.0/debian/patches/CVE-2017-1000257.patch --- curl-7.47.0/debian/patches/CVE-2017-1000257.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2017-1000257.patch 2017-10-17 17:53:44.000000000 +0000 @@ -0,0 +1,26 @@ +From 2d119e90f8669e3c358468298941f48c15253f97 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 7 Oct 2017 00:11:31 +0200 +Subject: [PATCH] imap: if a FETCH response has no size, don't call write + callback + +--- + lib/imap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: curl-7.47.0/lib/imap.c +=================================================================== +--- curl-7.47.0.orig/lib/imap.c 2017-10-17 13:53:39.420208253 -0400 ++++ curl-7.47.0/lib/imap.c 2017-10-17 13:53:39.420208253 -0400 +@@ -1136,6 +1136,11 @@ static CURLcode imap_state_fetch_resp(st + /* The conversion from curl_off_t to size_t is always fine here */ + chunk = (size_t)size; + ++ if(!chunk) { ++ /* no size, we're done with the data */ ++ state(conn, IMAP_STOP); ++ return CURLE_OK; ++ } + result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); + if(result) + return result; diff -Nru curl-7.47.0/debian/patches/CVE-2017-7407-1.patch curl-7.47.0/debian/patches/CVE-2017-7407-1.patch --- curl-7.47.0/debian/patches/CVE-2017-7407-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2017-7407-1.patch 2017-10-04 12:51:20.000000000 +0000 @@ -0,0 +1,120 @@ +Backport of: + +From 1890d59905414ab84a35892b2e45833654aa5c13 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Sat, 11 Mar 2017 10:59:34 +0100 +Subject: [PATCH] tool_writeout: fixed a buffer read overrun on --write-out + +If a % ended the statement, the string's trailing NUL would be skipped +and memory past the end of the buffer would be accessed and potentially +displayed as part of the --write-out output. Added tests 1440 and 1441 +to check for this kind of condition. + +Reported-by: Brian Carpenter +--- + src/tool_writeout.c | 2 +- + tests/data/Makefile.inc | 2 +- + tests/data/test1440 | 31 +++++++++++++++++++++++++++++++ + tests/data/test1441 | 31 +++++++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1440 + create mode 100644 tests/data/test1441 + +Index: curl-7.47.0/src/tool_writeout.c +=================================================================== +--- curl-7.47.0.orig/src/tool_writeout.c 2017-10-04 08:50:42.880911816 -0400 ++++ curl-7.47.0/src/tool_writeout.c 2017-10-04 08:50:42.876911766 -0400 +@@ -107,7 +107,7 @@ void ourWriteOut(CURL *curl, struct OutS + double doubleinfo; + + while(ptr && *ptr) { +- if('%' == *ptr) { ++ if('%' == *ptr && ptr[1]) { + if('%' == ptr[1]) { + /* an escaped %-letter */ + fputc('%', stream); +Index: curl-7.47.0/tests/data/Makefile.inc +=================================================================== +--- curl-7.47.0.orig/tests/data/Makefile.inc 2017-10-04 08:50:08.068477006 -0400 ++++ curl-7.47.0/tests/data/Makefile.inc 2017-10-04 08:51:04.601182983 -0400 +@@ -119,7 +119,7 @@ test1104 test1105 test1106 test1107 test + test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 \ + test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ + test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ +-test1136 test1137 test1138 \ ++test1136 test1137 test1138 test1440 test1441 \ + test1152 \ + \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ +Index: curl-7.47.0/tests/data/test1440 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ curl-7.47.0/tests/data/test1440 2017-10-04 08:50:42.876911766 -0400 +@@ -0,0 +1,31 @@ ++ ++ ++ ++--write-out ++ ++ ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++file ++ ++ ++ ++Check --write-out with trailing %{ ++ ++ ++file://localhost/%PWD/log/ --write-out '%{' ++ ++ ++ ++# Verify data ++ ++ ++%{ ++ ++ ++ +Index: curl-7.47.0/tests/data/test1441 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ curl-7.47.0/tests/data/test1441 2017-10-04 08:50:42.876911766 -0400 +@@ -0,0 +1,31 @@ ++ ++ ++ ++--write-out ++ ++ ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++file ++ ++ ++ ++Check --write-out with trailing % ++ ++ ++file://localhost/%PWD/log/ --write-out '%' ++ ++ ++ ++# Verify data ++ ++ ++% ++ ++ ++ diff -Nru curl-7.47.0/debian/patches/CVE-2017-7407-2.patch curl-7.47.0/debian/patches/CVE-2017-7407-2.patch --- curl-7.47.0/debian/patches/CVE-2017-7407-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2017-7407-2.patch 2017-10-04 12:52:18.000000000 +0000 @@ -0,0 +1,83 @@ +Backport of: + +From 8e65877870c1fac920b65219adec720df810aab9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 24 Mar 2017 10:14:21 +0100 +Subject: [PATCH] curl: check for end of input in writeout backslash handling + +Reported-by: Brian Carpenter + +Added test 1442 to verify +--- + src/tool_writeout.c | 4 ++-- + tests/data/Makefile.inc | 2 +- + tests/data/test1442 | 35 +++++++++++++++++++++++++++++++++++ + 3 files changed, 38 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test1442 + +Index: curl-7.47.0/src/tool_writeout.c +=================================================================== +--- curl-7.47.0.orig/src/tool_writeout.c 2017-10-04 08:51:37.353591709 -0400 ++++ curl-7.47.0/src/tool_writeout.c 2017-10-04 08:51:37.349591659 -0400 +@@ -298,7 +298,7 @@ void ourWriteOut(CURL *curl, struct OutS + } + } + } +- else if('\\' == *ptr) { ++ else if('\\' == *ptr && ptr[1]) { + switch(ptr[1]) { + case 'r': + fputc('\r', stream); +Index: curl-7.47.0/tests/data/Makefile.inc +=================================================================== +--- curl-7.47.0.orig/tests/data/Makefile.inc 2017-10-04 08:51:34.433555277 -0400 ++++ curl-7.47.0/tests/data/Makefile.inc 2017-10-04 08:52:02.633907046 -0400 +@@ -148,7 +148,7 @@ test1408 test1409 test1410 test1411 test + test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \ + test1424 \ + test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \ +-test1436 \ ++test1436 test1442 \ + \ + test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ + test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ +Index: curl-7.47.0/tests/data/test1442 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ curl-7.47.0/tests/data/test1442 2017-10-04 08:51:37.349591659 -0400 +@@ -0,0 +1,35 @@ ++ ++ ++ ++--write-out ++FILE ++ ++ ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++file ++ ++ ++ ++Check --write-out with trailing \ ++ ++ ++file://localhost/%PWD/log/non-existent-file.txt --write-out '\' ++ ++ ++ ++# Verify data ++ ++ ++37 ++ ++ ++\ ++ ++ ++ diff -Nru curl-7.47.0/debian/patches/series curl-7.47.0/debian/patches/series --- curl-7.47.0/debian/patches/series 2016-08-05 15:17:38.000000000 +0000 +++ curl-7.47.0/debian/patches/series 2017-10-17 18:23:53.000000000 +0000 @@ -7,6 +7,25 @@ CVE-2016-5419.patch CVE-2016-5420.patch CVE-2016-5421.patch +CVE-2016-7141.patch +CVE-2016-7167.patch +CVE-2016-8615.patch +CVE-2016-8616.patch +CVE-2016-8617.patch +CVE-2016-8618.patch +CVE-2016-8619.patch +CVE-2016-8620.patch +CVE-2016-8621.patch +CVE-2016-8622.patch +CVE-2016-8623.patch +CVE-2016-8624.patch +CVE-2016-9586.patch +CVE-2017-1000100.patch +CVE-2017-1000101.patch +CVE-2017-1000254.patch +CVE-2017-7407-1.patch +CVE-2017-7407-2.patch +CVE-2017-1000257.patch # do not add patches below 90_gnutls.patch