1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2014-8150.patch b/meta/recipes-support/curl/curl/CVE-2014-8150.patch
new file mode 100644
index 0000000000..b5945fbf18
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-8150.patch
@@ -0,0 +1,36 @@
+From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 25 Dec 2014 23:55:03 +0100
+Subject: [PATCH] url-parsing: reject CRLFs within URLs
+Bug: http://curl.haxx.se/docs/adv_20150108B.html
+Reported-by: Andrey Labunets
+---
+ lib/url.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/lib/url.c b/lib/url.c
+index 788f048..d3bb5e0 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -3840,10 +3840,17 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
+   CURLcode result;
+   bool rebuild_url = FALSE;
+ 
+   *prot_missing = FALSE;
+ 
+  /* We might pass the entire URL into the request so we need to make sure
+   * there are no bad characters in there.*/
+  if(strpbrk(data->change.url, "\r\n")) {
+    failf(data, "Illegal characters found in URL");
+    return CURLE_URL_MALFORMAT;
+  }
+
+   /*************************************************************
+    * Parse the URL.
+    *
+    * We need to parse the url even when using the proxy, because we will need
+    * the hostname and port in case we are trying to SSL connect through the
+-- 
+2.1.4

diff --git a/meta/recipes-support/curl/curl/CVE-2014-8150.patch b/meta/recipes-support/curl/curl/CVE-2014-8150.patch new file mode 100644 index 0000000000..b5945fbf18 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-8150.patch
@@ -0,0 +1,36 @@
	1	From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Thu, 25 Dec 2014 23:55:03 +0100
	4	Subject: [PATCH] url-parsing: reject CRLFs within URLs
	5
	6	Bug: http://curl.haxx.se/docs/adv_20150108B.html
	7	Reported-by: Andrey Labunets
	8	---
	9	lib/url.c \| 7 +++++++
	10	1 file changed, 7 insertions(+)
	11
	12	diff --git a/lib/url.c b/lib/url.c
	13	index 788f048..d3bb5e0 100644
	14	--- a/lib/url.c
	15	+++ b/lib/url.c
	16	@@ -3840,10 +3840,17 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
	17	CURLcode result;
	18	bool rebuild_url = FALSE;
	19
	20	*prot_missing = FALSE;
	21
	22	+ /* We might pass the entire URL into the request so we need to make sure
	23	+ * there are no bad characters in there.*/
	24	+ if(strpbrk(data->change.url, "\r\n")) {
	25	+ failf(data, "Illegal characters found in URL");
	26	+ return CURLE_URL_MALFORMAT;
	27	+ }
	28	+
	29	/*************************************************************
	30	* Parse the URL.
	31	*
	32	* We need to parse the url even when using the proxy, because we will need
	33	* the hostname and port in case we are trying to SSL connect through the
	34	--
	35	2.1.4
	36