PKG_NAME:=curl
PKG_VERSION:=7.52.1
-PKG_RELEASE:=9
+PKG_RELEASE:=10
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://curl.haxx.se/download/ \
--- /dev/null
+From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Sep 2017 00:35:22 +0200
+Subject: [PATCH] FTP: zero terminate the entry path even on bad input
+
+... a single double quote could leave the entry path buffer without a zero
+terminating byte. CVE-2017-1000254
+
+Test 1152 added to verify.
+
+Reported-by: Max Dymond
+Bug: https://curl.haxx.se/docs/adv_20171004.html
+---
+ lib/ftp.c | 7 ++++--
+ tests/data/Makefile.inc | 1 +
+ tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 67 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1152
+
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct
+ char *ptr=&data->state.buffer[4]; /* start on the first letter */
+ char *dir;
+ char *store;
++ bool entry_extracted = FALSE;
+
+ dir = malloc(nread + 1);
+ if(!dir)
+@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct
+ }
+ else {
+ /* end of path */
+- *store = '\0'; /* zero terminate */
++ entry_extracted = TRUE;
+ break; /* get out of this loop */
+ }
+ }
+@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct
+ store++;
+ ptr++;
+ }
+-
++ *store = '\0'; /* zero terminate */
++ }
++ if(entry_extracted) {
+ /* If the path name does not look like an absolute path (i.e.: it
+ does not start with a '/'), we probably need some server-dependent
+ adjustments. For example, this is the case when connecting to
+++ /dev/null
-From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 6 Nov 2017 23:51:52 +0100
-Subject: [PATCH] ntlm: avoid integer overflow for malloc size
-
-Reported-by: Alex Nichols
-Assisted-by: Kamil Dudka and Max Dymond
-
-CVE-2017-8816
-
-Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
----
- lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
-index 1309bf0d9..e8962769c 100644
---- a/lib/curl_ntlm_core.c
-+++ b/lib/curl_ntlm_core.c
-@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
- Curl_HMAC_final(ctxt, output);
-
- return CURLE_OK;
- }
-
-+#ifndef SIZE_T_MAX
-+/* some limits.h headers have this defined, some don't */
-+#if defined(_LP64) || defined(_I32LPx)
-+#define SIZE_T_MAX 18446744073709551615U
-+#else
-+#define SIZE_T_MAX 4294967295U
-+#endif
-+#endif
-+
- /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
- * (uppercase UserName + Domain) as the data
- */
- CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
- const char *domain, size_t domlen,
- unsigned char *ntlmhash,
- unsigned char *ntlmv2hash)
- {
- /* Unicode representation */
-- size_t identity_len = (userlen + domlen) * 2;
-- unsigned char *identity = malloc(identity_len);
-+ size_t identity_len;
-+ unsigned char *identity;
- CURLcode result = CURLE_OK;
-
-+ /* we do the length checks below separately to avoid integer overflow risk
-+ on extreme data lengths */
-+ if((userlen > SIZE_T_MAX/2) ||
-+ (domlen > SIZE_T_MAX/2) ||
-+ ((userlen + domlen) > SIZE_T_MAX/2))
-+ return CURLE_OUT_OF_MEMORY;
-+
-+ identity_len = (userlen + domlen) * 2;
-+ identity = malloc(identity_len);
-+
- if(!identity)
- return CURLE_OUT_OF_MEMORY;
-
- ascii_uppercase_to_unicode_le(identity, user, userlen);
- ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
---
-2.15.0
-
+++ /dev/null
-From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Fri, 10 Nov 2017 08:52:45 +0100
-Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
-
-The code would previous read beyond the end of the pattern string if the
-match pattern ends with an open bracket when the default pattern
-matching function is used.
-
-Detected by OSS-Fuzz:
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
-
-CVE-2017-8817
-
-Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
----
- lib/curl_fnmatch.c | 9 +++------
- tests/data/Makefile.inc | 2 +-
- tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 56 insertions(+), 7 deletions(-)
- create mode 100644 tests/data/test1163
-
-diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
-index da83393b4..8a1e106c4 100644
---- a/lib/curl_fnmatch.c
-+++ b/lib/curl_fnmatch.c
-@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
- unsigned char lastchar = 0;
- bool something_found = FALSE;
- unsigned char c;
- for(;;) {
- c = **p;
-+ if(!c)
-+ return SETCHARSET_FAIL;
-+
- switch(state) {
- case CURLFNM_SCHS_DEFAULT:
- if(ISALNUM(c)) { /* ASCII value */
- rangestart = c;
- charset[c] = 1;
-@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
- (*p)++;
- }
- else
- return SETCHARSET_FAIL;
- }
-- else if(c == '\0') {
-- return SETCHARSET_FAIL;
-- }
- else {
- charset[c] = 1;
- (*p)++;
- something_found = TRUE;
- }
-@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
- (*p)++;
- }
- else if(c == ']') {
- return SETCHARSET_OK;
- }
-- else if(c == '\0') {
-- return SETCHARSET_FAIL;
-- }
- else if(ISPRINT(c)) {
- charset[c] = 1;
- (*p)++;
- state = CURLFNM_SCHS_DEFAULT;
- }
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index dc1cc03bc..6eb37d81d 100644
---- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000
-+++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000
-@@ -121,6 +121,7 @@
- test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
- test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
- test1144 \
-+test1163 \
- test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
- test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
- test1216 test1217 test1218 test1219 \
-diff --git a/tests/data/test1163 b/tests/data/test1163
-new file mode 100644
-index 000000000..a109b511b
---- /dev/null
-+++ b/tests/data/test1163
-@@ -0,0 +1,52 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+RETR
-+LIST
-+wildcardmatch
-+ftplistparser
-+flaky
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+</data>
-+</reply>
-+
-+# Client-side
-+<client>
-+<server>
-+ftp
-+</server>
-+<tool>
-+lib576
-+</tool>
-+<name>
-+FTP wildcard with pattern ending with an open-bracket
-+</name>
-+<command>
-+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
-+</command>
-+</client>
-+<verify>
-+<protocol>
-+USER anonymous
-+PASS ftp@example.com
-+PWD
-+CWD fully_simulated
-+CWD DOS
-+EPSV
-+TYPE A
-+LIST
-+QUIT
-+</protocol>
-+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
-+<errorcode>
-+78
-+</errorcode>
-+</verify>
-+</testcase>
---
-2.15.0
-
--- /dev/null
+From 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 7 Oct 2017 00:11:31 +0200
+Subject: [PATCH] imap: if a FETCH response has no size, don't call write
+ callback
+
+CVE-2017-1000257
+
+Reported-by: Brian Carpenter and 0xd34db347
+Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
+---
+ lib/imap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -1140,6 +1140,11 @@ static CURLcode imap_state_fetch_resp(st
+ /* The conversion from curl_off_t to size_t is always fine here */
+ chunk = (size_t)size;
+
++ if(!chunk) {
++ /* no size, we're done with the data */
++ state(conn, IMAP_STOP);
++ return CURLE_OK;
++ }
+ result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk);
+ if(result)
+ return result;
--- /dev/null
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+
+CVE-2017-8816
+
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -618,6 +618,15 @@ CURLcode Curl_hmac_md5(const unsigned ch
+ return CURLE_OK;
+ }
+
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(_LP64) || defined(_I32LPx)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+ * (uppercase UserName + Domain) as the data
+ */
+@@ -627,10 +636,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c
+ unsigned char *ntlmv2hash)
+ {
+ /* Unicode representation */
+- size_t identity_len = (userlen + domlen) * 2;
+- unsigned char *identity = malloc(identity_len);
++ size_t identity_len;
++ unsigned char *identity;
+ CURLcode result = CURLE_OK;
+
++ /* we do the length checks below separately to avoid integer overflow risk
++ on extreme data lengths */
++ if((userlen > SIZE_T_MAX/2) ||
++ (domlen > SIZE_T_MAX/2) ||
++ ((userlen + domlen) > SIZE_T_MAX/2))
++ return CURLE_OUT_OF_MEMORY;
++
++ identity_len = (userlen + domlen) * 2;
++ identity = malloc(identity_len);
++
+ if(!identity)
+ return CURLE_OUT_OF_MEMORY;
+
--- /dev/null
+From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Nov 2017 08:52:45 +0100
+Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
+
+The code would previous read beyond the end of the pattern string if the
+match pattern ends with an open bracket when the default pattern
+matching function is used.
+
+Detected by OSS-Fuzz:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+
+CVE-2017-8817
+
+Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
+---
+ lib/curl_fnmatch.c | 9 +++------
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/test1163
+
+--- a/lib/curl_fnmatch.c
++++ b/lib/curl_fnmatch.c
+@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p,
+ unsigned char c;
+ for(;;) {
+ c = **p;
++ if(!c)
++ return SETCHARSET_FAIL;
++
+ switch(state) {
+ case CURLFNM_SCHS_DEFAULT:
+ if(ISALNUM(c)) { /* ASCII value */
+@@ -197,9 +200,6 @@ static int setcharset(unsigned char **p,
+ else
+ return SETCHARSET_FAIL;
+ }
+- else if(c == '\0') {
+- return SETCHARSET_FAIL;
+- }
+ else {
+ charset[c] = 1;
+ (*p)++;
+@@ -278,9 +278,6 @@ static int setcharset(unsigned char **p,
+ else if(c == ']') {
+ return SETCHARSET_OK;
+ }
+- else if(c == '\0') {
+- return SETCHARSET_FAIL;
+- }
+ else if(ISPRINT(c)) {
+ charset[c] = 1;
+ (*p)++;
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 \
++test1163 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+--- /dev/null
++++ b/tests/data/test1163
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++RETR
++LIST
++wildcardmatch
++ftplistparser
++flaky
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++ftp
++</server>
++<tool>
++lib576
++</tool>
++<name>
++FTP wildcard with pattern ending with an open-bracket
++</name>
++<command>
++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
++</command>
++</client>
++<verify>
++<protocol>
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD fully_simulated
++CWD DOS
++EPSV
++TYPE A
++LIST
++QUIT
++</protocol>
++# 78 == CURLE_REMOTE_FILE_NOT_FOUND
++<errorcode>
++78
++</errorcode>
++</verify>
++</testcase>
--- /dev/null
+From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
+From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
+Date: Wed, 10 Jan 2018 10:12:18 -0800
+Subject: [PATCH] http2: fix incorrect trailer buffer size
+
+Prior to this change the stored byte count of each trailer was
+miscalculated and 1 less than required. It appears any trailer
+after the first that was passed to Curl_client_write would be truncated
+or corrupted as well as the size. Potentially the size of some
+subsequent trailer could be erroneously extracted from the contents of
+that trailer, and since that size is used by client write an
+out-of-bounds read could occur and cause a crash or be otherwise
+processed by client write.
+
+The bug appears to have been born in 0761a51 (precedes 7.49.0).
+
+Closes https://github.com/curl/curl/pull/2231
+---
+ lib/http2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -864,8 +864,8 @@ static int on_header(nghttp2_session *se
+
+ if(stream->bodystarted) {
+ /* This is trailer fields. */
+- /* 3 is for ":" and "\r\n". */
+- uint32_t n = (uint32_t)(namelen + valuelen + 3);
++ /* 4 is for ": " and "\r\n". */
++ uint32_t n = (uint32_t)(namelen + valuelen + 4);
+
+ DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
+ value));
--- /dev/null
+From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 19 Jan 2018 13:19:25 +0100
+Subject: [PATCH] http: prevent custom Authorization headers in redirects
+
+... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+curl already handles Authorization headers created internally.
+
+Note: this changes behavior slightly, for the sake of reducing mistakes.
+
+Added test 317 and 318 to verify.
+
+Reported-by: Craig de Stigter
+Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
+---
+ docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++-
+ lib/http.c | 10 ++-
+ lib/setopt.c | 2 +-
+ lib/urldata.h | 2 +-
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test317 | 94 +++++++++++++++++++++++++
+ tests/data/test318 | 95 ++++++++++++++++++++++++++
+ 7 files changed, 212 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test317
+ create mode 100644 tests/data/test318
+
+--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+@@ -5,7 +5,7 @@
+ .\" * | (__| |_| | _ <| |___
+ .\" * \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -77,6 +77,16 @@ the headers. They may be private or othe
+
+ Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
+ intend them to get sent.
++
++Custom headers are sent in all requests done by the easy handles, which
++implies that if you tell libcurl to follow redirects
++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
++in the subsequent request. Redirects can of course go to other hosts and thus
++those servers will get all the contents of your custom headers too.
++
++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
++from being sent to other hosts than the first used one, unless specifically
++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
+ .SH DEFAULT
+ NULL
+ .SH PROTOCOLS
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata
+ if(!data->state.this_is_a_follow ||
+ conn->bits.netrc ||
+ !data->state.first_host ||
+- data->set.http_disable_hostname_check_before_authentication ||
++ data->set.allow_auth_to_other_hosts ||
+ strcasecompare(data->state.first_host, conn->host.name)) {
+ result = output_auth_headers(conn, authhost, request, path, FALSE);
+ }
+@@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct
+ checkprefix("Transfer-Encoding:", headers->data))
+ /* HTTP/2 doesn't support chunked requests */
+ ;
++ else if(checkprefix("Authorization:", headers->data) &&
++ /* be careful of sending this potentially sensitive header to
++ other hosts */
++ (data->state.this_is_a_follow &&
++ data->state.first_host &&
++ !data->set.allow_auth_to_other_hosts &&
++ !strcasecompare(data->state.first_host, conn->host.name)))
++ ;
+ else {
+ CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
+ headers->data);
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d
+ * Send authentication (user+password) when following locations, even when
+ * hostname changed.
+ */
+- data->set.http_disable_hostname_check_before_authentication =
++ data->set.allow_auth_to_other_hosts =
+ (0 != va_arg(param, long)) ? TRUE : FALSE;
+ break;
+
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1675,7 +1675,7 @@ struct UserDefined {
+ bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
+ bool http_follow_location; /* follow HTTP redirects */
+ bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
+- bool http_disable_hostname_check_before_authentication;
++ bool allow_auth_to_other_hosts;
+ bool include_header; /* include received protocol headers in data output */
+ bool http_set_referer; /* is a custom referer used */
+ bool http_auto_referer; /* set "correct" referer when following location: */
--- /dev/null
+From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 31 Jan 2018 08:40:11 +0100
+Subject: [PATCH] FTP: reject path components with control codes
+
+Refuse to operate when given path components featuring byte values lower
+than 32.
+
+Previously, inserting a %00 sequence early in the directory part when
+using the 'singlecwd' ftp method could make curl write a zero byte
+outside of the allocated buffer.
+
+Test case 340 verifies.
+
+CVE-2018-1000120
+Reported-by: Duy Phan Thanh
+Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
+---
+ lib/ftp.c | 8 ++++----
+ tests/data/Makefile.inc | 3 +++
+ tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 4 deletions(-)
+ create mode 100644 tests/data/test340
+
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -3235,7 +3235,7 @@ static CURLcode ftp_done(struct connectd
+
+ if(!result)
+ /* get the "raw" path */
+- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
+ if(result) {
+ /* We can limp along anyway (and should try to since we may already be in
+ * the error path) */
+@@ -4241,7 +4241,7 @@ CURLcode ftp_parse_url_path(struct conne
+ result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
+ slash_pos ? dirlen : 1,
+ &ftpc->dirs[0], NULL,
+- FALSE);
++ TRUE);
+ if(result) {
+ freedirs(ftpc);
+ return result;
+@@ -4349,7 +4349,7 @@ CURLcode ftp_parse_url_path(struct conne
+ size_t dlen;
+ char *path;
+ CURLcode result =
+- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
++ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
+ if(result) {
+ freedirs(ftpc);
+ return result;
--- /dev/null
+From 8f341a5d6f15381492ca2013325d485b6d8d1c13 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 6 Mar 2018 23:02:16 +0100
+Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL
+ before using
+
+CVE-2018-1000121
+Reported-by: Dario Weisser
+Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
+---
+ lib/openldap.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/lib/openldap.c
++++ b/lib/openldap.c
+@@ -443,7 +443,7 @@ static ssize_t ldap_recv(struct connectd
+
+ for(ent = ldap_first_message(li->ld, msg); ent;
+ ent = ldap_next_message(li->ld, ent)) {
+- struct berval bv, *bvals, **bvp = &bvals;
++ struct berval bv, *bvals;
+ int binary = 0, msgtype;
+ CURLcode writeerr;
+
+@@ -505,9 +505,9 @@ static ssize_t ldap_recv(struct connectd
+ }
+ data->req.bytecount += bv.bv_len + 5;
+
+- for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp);
+- rc == LDAP_SUCCESS;
+- rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) {
++ for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals);
++ (rc == LDAP_SUCCESS) && bvals;
++ rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) {
+ int i;
+
+ if(bv.bv_val == NULL) break;
--- /dev/null
+From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 8 Mar 2018 10:33:16 +0100
+Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
+
+CVE-2018-1000122
+Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+
+Detected by OSS-fuzz
+---
+ lib/transfer.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu
+
+ } /* if(!header and data to read) */
+
+- if(conn->handler->readwrite &&
+- (excess > 0 && !conn->bits.stream_was_rewound)) {
++ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
+ /* Parse the excess data */
+ k->str += nread;
++
++ if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
++ /* the excess amount was too excessive(!), make sure
++ it doesn't read out of buffer */
++ excess = &k->buf[data->set.buffer_size] - k->str;
++ }
+ nread = (ssize_t)excess;
+
+ result = conn->handler->readwrite(data, conn, &nread, &readmore);
--- /dev/null
+From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
+
+... leaving the k->str could lead to buffer over-reads later on.
+
+CVE: CVE-2018-1000301
+Assisted-by: Max Dymond
+
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2924,6 +2924,8 @@ CURLcode Curl_http_readwrite_headers(str
+ {
+ CURLcode result;
+ struct SingleRequest *k = &data->req;
++ ssize_t onread = *nread;
++ char *ostr = k->str;
+
+ /* header line within buffer loop */
+ do {
+@@ -2988,7 +2990,9 @@ CURLcode Curl_http_readwrite_headers(str
+ else {
+ /* this was all we read so it's all a bad header */
+ k->badheader = HEADER_ALLBAD;
+- *nread = (ssize_t)rest_length;
++ *nread = onread;
++ k->str = ostr;
++ return CURLE_OK;
+ }
+ break;
+ }
lib/vtls/vtls.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index fad9335bbf..871622fef1 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
-@@ -485,8 +485,9 @@ void Curl_ssl_close_all(struct Curl_easy *data)
+@@ -488,8 +488,9 @@ void Curl_ssl_close_all(struct Curl_easy
}
#if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \