"Kyle J. McKay" <mackyle@xxxxxxxxx> writes:
> On Jan 13, 2015, at 11:58, Jeff King wrote:
> ...
> I'm running curl 7.38, and in this context "older" is anything before
> 7.40, so that would explain it. curl 7.38 was released 2014-09-10, so
> it's only 4 months old at this point. 7.40 was only released 5 days
> ago on 2015-01-08 which is probably why there have not been a whole
> lot of reports about this so far.
>
> After updating to curl 7.40 I get:
>
> t5540-http-push-webdav.sh (Wstat: 256 Tests: 19 Failed: 1)
> Failed test: 10
> Non-zero exit status: 1
>
>> Anyway. I think my patch is still the right thing. But that does
>> explain
>> why we didn't notice the test failure.
>
> And then after applying your patch I'm back to:
>
> t5540-http-push-webdav.sh .. ok
I see a Ubuntu box I have nearby has this:
curl (7.35.0-1ubuntu2.3) trusty-security; urgency=medium
* SECURITY UPDATE: URL request injection
- debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
- CVE-2014-8150
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Wed, 14 Jan 2015 08:49:32 -0500
That explains why I started seeing the same on a box with 7.35.x
which looks older than 7.40.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html