curl: security fix for CVE-2016-5421

Affected versions: libcurl 7.32.0 to and including 7.50.0

(From OE-Core rev: f6999fa952c7db980cfc97f6e5a971e4f34cc0a3)

Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-support/curl/curl/CVE-2016-5421.patch

@@ -0,0 +1,36 @@
+From 75dc096e01ef1e21b6c57690d99371dedb2c0b80 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 Jul 2016 01:09:04 +0200
+Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://curl.haxx.se/docs/adv_20160803C.html
+Reported-by: Marcelo Echeverria and Fernando Muñoz
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-5421.patch
+
+CVE: CVE-2016-5421
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+ lib/multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 9ee3523..8bb9366 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2157,6 +2157,8 @@ static void close_all_connections(struct Curl_multi *multi)
+     conn->data = multi->closure_handle;
+ 
+     sigpipe_ignore(conn->data, &pipe_st);
++    conn->data->easy_conn = NULL; /* clear the easy handle's connection
++                                     pointer */
+     /* This will remove the connection from the cache */
+     (void)Curl_disconnect(conn, FALSE);
+     sigpipe_restore(&pipe_st);
+-- 
+2.4.0
+

meta/recipes-support/curl/curl_7.44.0.bb

@@ -13,6 +13,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
 # from mucking around with debug options
 #
 SRC_URI += " file://configure_ac.patch \
+             file://CVE-2016-5421.patch \
              file://CVE-2016-5420.patch \
              file://CVE-2016-5419.patch \
              file://CVE-2016-0754.patch \