File curl-CVE-2014-0138.patch of Package curl.openSUSE_13.1_Update

From 9db36827fb5eade403143b36566914ee9dc37d7b Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Thu, 20 Feb 2014 23:51:36 +0000
Subject: [PATCH] url: Fixed connection re-use when using different log-in
 credentials

In addition to FTP, other connection based protocols such as IMAP, POP3,
SMTP, SCP, SFTP and LDAP require a new connection when different log-in
credentials are specified. Fixed the detection logic to include these
other protocols.

Bug: http://curl.haxx.se/docs/adv_20140326A.html
---
 lib/http.c    | 2 +-
 lib/url.c     | 7 ++++---
 lib/urldata.h | 2 ++
 3 files changed, 7 insertions(+), 4 deletions(-)

Index: curl-7.32.0/lib/http.c
===================================================================
--- curl-7.32.0.orig/lib/http.c	2014-04-10 13:28:29.668251255 +0200
+++ curl-7.32.0/lib/http.c	2014-04-10 13:28:30.708260917 +0200
@@ -144,7 +144,7 @@ const struct Curl_handler Curl_handler_h
   ZERO_NULL,                            /* readwrite */
   PORT_HTTPS,                           /* defport */
   CURLPROTO_HTTP | CURLPROTO_HTTPS,     /* protocol */
-  PROTOPT_SSL                           /* flags */
+  PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */
 };
 #endif
 
Index: curl-7.32.0/lib/url.c
===================================================================
--- curl-7.32.0.orig/lib/url.c	2014-04-10 13:28:30.709260927 +0200
+++ curl-7.32.0/lib/url.c	2014-04-10 13:43:33.980699951 +0200
@@ -3011,10 +3011,10 @@ ConnectionExists(struct SessionHandle *d
           continue;
       }
 
-      if((needle->handler->protocol & CURLPROTO_FTP) ||
-         ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {
-         /* This is FTP or HTTP+NTLM, verify that we're using the same name
-            and password as well */
+      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+	((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {
+        /* This protocol requires credentials per connection or is HTTP+NTLM,
+           so verify that we're using the same name and password as well */
          if(!strequal(needle->user, check->user) ||
             !strequal(needle->passwd, check->passwd)) {
             /* one of them was different */
Index: curl-7.32.0/lib/urldata.h
===================================================================
--- curl-7.32.0.orig/lib/urldata.h	2014-04-10 13:28:29.669251265 +0200
+++ curl-7.32.0/lib/urldata.h	2014-04-10 13:28:30.709260927 +0200
@@ -782,6 +782,8 @@ struct Curl_handler {
                                       gets a default */
 #define PROTOPT_NOURLQUERY (1<<6)   /* protocol can't handle
                                         url query strings (?foo=bar) ! */
+#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login creditials per request
+                                          as opposed to per connection */
 
 
 /* return the count of bytes sent, or -1 on error */