curl: Fix multiple security problems

This fixes the following security problems:
* CVE-2018-14618: NTLM password overflow via integer overflow
* CVE-2018-16839: SASL password overflow via integer overflow
* CVE-2018-16840: use-after-free in handle close
* CVE-2018-16842: warning message out-of-buffer read
* CVE-2019-3823:  SMTP end-of-response out-of-bounds read
* CVE-2019-3822:  NTLMv2 type-3 header stack buffer overflow
* CVE-2018-16890: NTLM type-2 out-of-bounds buffer read

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

1 files changed, 23 insertions, 0 deletions

diff --git a/package/network/utils/curl/patches/404-CVE-2018-16842.patch b/package/network/utils/curl/patches/404-CVE-2018-16842.patch
new file mode 100644
index 0000000000..50e325dc31
--- /dev/null
+++ b/package/network/utils/curl/patches/404-CVE-2018-16842.patch
@@ -0,0 +1,23 @@
+From d530e92f59ae9bb2d47066c3c460b25d2ffeb211 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 28 Oct 2018 01:33:23 +0200
+Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
+
+CVE-2018-16842
+Reported-by: Brian Carpenter
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
+---
+ src/tool_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/tool_msgs.c
++++ b/src/tool_msgs.c
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *c
+         (void)fwrite(ptr, cut + 1, 1, config->errors);
+         fputs("\n", config->errors);
+         ptr += cut + 1; /* skip the space too */
+-        len -= cut;
++        len -= cut + 1;
+       }
+       else {
+         fputs(ptr, config->errors);