curl-library
Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections
Date: Thu, 10 Apr 2014 13:40:42 +0200
On Wed, Apr 09, 2014 at 06:04:22PM +0200, Vitezslav Cizek wrote:
> > On mer, mar 26, 2014 at 08:04:30 +0100, Daniel Stenberg wrote:
> > > 3. THE SOLUTION
> > >
> > > libcurl 7.36.0 makes sure that connections are re-used more strictly.
> > >
> > > A patch for this problem is available at:
> > >
> > > http://curl.haxx.se/libcurl-bad-reuse.patch
>
> > I've been trying to backport that patch to curl 7.26.0 (used in Debian stable),
> > but I've noticed that the connection reuse has changed drastically since then,
> > and that patch doesn't seem to be enough to fix the issue (in fact, it actually
> > breaks the test suite, since test 519 freezes for some reason). I haven't even
> > tried to backport it to Debian oldstable (7.21.0).
>
> > Is there someone that successfully backported it to something
> > pre-7.30.0, or
> > should I just give up?
>
> On old curl, the test server (sws) runs in a single thread and doesn't fork.
>
> The test 519 connects to the server over HTTP with a username/password and
> later tries it with anotheruser/anotherpassword.
>
> The server runs a simple accept() loop where it serves the clients using
> recv()/send().
>
> Before the security patch, the two GET requests the test makes were
> issued from a single connection.
> Thus the server served the first request and later the other in a single
> run of the accept() loop.
>
> After the patch, the two request now come in two separate connections.
> So the server accept()s and serves the first connection and then waits in
> recv(), because the connection is still open.
> The code never gets to another accept() so the second connection isn't
> served at all.
>
> I just disabled the 519 test.
I ended up doing the same thing, thanks for the help!
Cheers
-- perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/pgp-signature attachment: Digital signature