Please login or register. October 18, 2019, 09:12:26 PM

Author Topic: CVE-2019-5482  (Read 86 times)

0 Members and 1 Guest are viewing this topic.

quadrazontal

  • Registered
  • *
  • Posts: 1
  • Karma: +0/-0
CVE-2019-5482
« on: September 18, 2019, 03:52:31 PM »
Hi.  Hoping to suggest an update to libcurl. 

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1155
  • Karma: +0/-0
Re: CVE-2019-5482
« Reply #1 on: September 20, 2019, 11:08:09 AM »
Not been watching curl well enough. Will have it up shortly.

Thx for pointing this out!

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1155
  • Karma: +0/-0
Re: CVE-2019-5482
« Reply #2 on: September 20, 2019, 11:42:50 AM »
Almost there - have a new libssh2 (that I link to statically), however, I am running into a build issue regarding the macro/constant AF_LOCAL.

That is not in the AIX include files (socket.h), so I need to chat and find out of AF_LOCAL is an "alias" for AF_UNIX.

currently, stopping with:
+ /opt/bin/make > .buildaix/make.out
"../../src/curl-7.66.0/lib/asyn-thread.c", line 248.17: 1506-045 (S) Undeclared identifier AF_LOCAL.
make[2]: *** [Makefile:2190: libcurl_la-asyn-thread.lo] Error 1
make[1]: *** [Makefile:1046: all] Error 2
make: *** [Makefile:946: all-recursive] Error 1

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1155
  • Karma: +0/-0
Re: CVE-2019-5482
« Reply #3 on: September 20, 2019, 12:07:46 PM »
So after reading this: https://lists.gnu.org/archive/html/bug-gnulib/2012-04/msg00057.html

I did this change:

/*
 * Address families.
 */
#define AF_UNSPEC       0               /* unspecified */
#define AF_UNIX         1               /* local to host (pipes, portals) */
#define AF_LOCAL        AF_UNIX
#define AF_INET         2               /* internetwork: UDP, TCP, etc. */
#define AF_IMPLINK      3               /* arpanet imp addresses */
...

and built, however...

After this change the build fails with:

+ /opt/bin/make > .buildaix/make.out
ld: 0711-317 ERROR: Undefined symbol: .curl_multi_poll
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.


I have opened the following issue. Feel free to comment, should you feel so inclined.

https://github.com/curl/curl/issues/4390

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1155
  • Karma: +0/-0
Re: CVE-2019-5482
« Reply #4 on: September 22, 2019, 11:09:41 AM »
Packaged and posted (32-bit version only).

Packaged on AIX 5.3 TL7 (currently rebuilding, was AIX 6.1) because that is the confirmed support on haex.se.

Note: a fix was needed was already done which I manually applied.

Again, thx for pointing this out!
« Last Edit: September 22, 2019, 01:21:53 PM by Michael »