Curl corrupts large POSTs to SSL servers

Hi Gustavo,

Thanks for reporting and finding a patch. To get this into dapper we need to follow the SRU process at: https://wiki.ubuntu.com/StableReleaseUpdates

I've reordered the info in the original report along the lines of the SRU requirements.

1. Impact - Affects several Landscape users.

2. Development version - the bug is fixed in newer versions of curl from Edgy

3. Patch - MISSING - We still need a patch speciffic to Dapper attached to this bug.

4. Reproducing - MISSING - Reproduction steps are needed for the validation phase.

5. Regression potential - This is a 5 line fix that has already been live in Ubuntu since Edgy. The regression potential is small.

Taking for sponsoring. The patch looks fine, I'll generate the debdiff from the attached source package blob.

Fixed in Edgy and later.

I cleaned up and fixed the source package, this is the debdiff. Thanks, Gustavo, for digging out the patch!

The reproducer script does not seem to work for me. With the current dapper curl, I already get the expected result:

[dapper] 0 martin@donald:~/ubuntu/curl$ python curl-send-bug.py

9a0d55a0c6d0a1f7d3aa335fdb07fadb
Expected: 9a0d55a0c6d0a1f7d3aa335fdb07fadb

At least I still get the correct result with the new curl, and it still seems to work. However, a proper SRU bug needs a working verification recipe before it can be moved to -updates. Can you please update the reproducer script?

Ok, I see the problem. The installed "curl" binary is linked against OpenSSL instead of GnuTLS.

I'm attaching another script, which uses pycurl to perform the same logic.

Can you please try it out?

Also notice that due to the bug nature, it may not *always* fail.

To speed things up, I reviewed this too, and confirmed that Gustavo's new reproduction script fails before his patch and succeeds afterwards.

I sponsored this upload and have accepted it into dapper-proposed. Please test the build that will arrive there shortly.

Gustavo tested it and it worked for him.

I tested the -proposed packages myself. Gustavo's reproducer fails with the old version and works with the new one, and curl'ing some https:// pages still works properly.

I consider this sufficiently verified, the package can go to -updates tomorrow.

Yes, we've run the test script in our own environment with the
proposed package and confirmed that it works.

Copied to daper-updates.