[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-1' - download.lst external/curl

Michael Stahl (via logerrit) logerrit at kemper.freedesktop.org
Fri May 31 13:09:00 UTC 2019 

 download.lst               |    4 ++--
 external/curl/zlib.patch.0 |   10 ----------
 2 files changed, 2 insertions(+), 12 deletions(-)

New commits:
commit fdcf51eb676dfbd2e91563b69a33c189488378ff
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed May 22 11:40:54 2019 +0200
Commit:     Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Fri May 31 15:07:52 2019 +0200

    curl: upgrade to release 7.65.0
    
    Fixes CVE-2019-5435. It looks like this is not a problem on 32-bit
    Windows because fortunately we don't use /LARGEADDRESSAWARE flag
    to set IMAGE_FILE_LARGE_ADDRESS_AWARE... but on 32-bit Linux
    the user-space VM is 3GB so an exploit might be possible.
    
    Apparently there's no code in LO that uses the CURLU_URLENCODE flag.
    
    The other one, CVE-2019-5436, doesn't matter because we disable tftp.
    
    Change-Id: I0d4f087befa5a3c4fb21ec36761dad68932425d9
    Reviewed-on: https://gerrit.libreoffice.org/72732
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
    (cherry picked from commit edb01616ac176401650c35d938c75c6c5558a47e)

diff --git a/download.lst b/download.lst
index e84baea4995e..b0f60e13e5bd 100644
--- a/download.lst
+++ b/download.lst
@@ -29,8 +29,8 @@ export CPPUNIT_SHA256SUM := 3d569869d27b48860210c758c4f313082103a5e58219a7669b52
 export CPPUNIT_TARBALL := cppunit-1.14.0.tar.gz
 export CT2N_SHA256SUM := 71b238efd2734be9800af07566daea8d6685aeed28db5eb5fa0e6453f4d85de3
 export CT2N_TARBALL := 1f467e5bb703f12cbbb09d5cf67ecf4a-converttexttonumber-1-5-0.oxt
-export CURL_SHA256SUM := cb90d2eb74d4e358c1ed1489f8e3af96b50ea4374ad71f143fa4595e998d81b5
-export CURL_TARBALL := curl-7.64.0.tar.gz
+export CURL_SHA256SUM := 7766d263929404f693905b5e5222aa0f2bdf8c66ab4b8758f0c0820a42b966cd
+export CURL_TARBALL := curl-7.65.0.tar.xz
 export EBOOK_SHA256SUM := 7e8d8ff34f27831aca3bc6f9cc532c2f90d2057c778963b884ff3d1e34dfe1f9
 export EBOOK_TARBALL := libe-book-0.1.3.tar.xz
 export EPOXY_SHA256SUM := 1d8668b0a259c709899e1c4bab62d756d9002d546ce4f59c9665e2fc5f001a64
diff --git a/external/curl/zlib.patch.0 b/external/curl/zlib.patch.0
index b3e821039740..189e820d1afa 100644
--- a/external/curl/zlib.patch.0
+++ b/external/curl/zlib.patch.0
@@ -1,15 +1,5 @@
 --- configure
 +++ configure
-@@ -937,8 +937,8 @@
- ZLIB_LIBS
- HAVE_LIBZ_FALSE
- HAVE_LIBZ_TRUE
--HAVE_LIBZ
- PKGCONFIG
-+HAVE_LIBZ
- CURL_DISABLE_GOPHER
- CURL_DISABLE_SMTP
- CURL_DISABLE_SMB
 @@ -20709,7 +20709,6 @@
  clean_CPPFLAGS=$CPPFLAGS
  clean_LDFLAGS=$LDFLAGS

More information about the Libreoffice-commits mailing list