From unknown Wed Jun 18 23:11:28 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#47563 <47563@debbugs.gnu.org> To: bug#47563 <47563@debbugs.gnu.org> Subject: Status: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876 Reply-To: bug#47563 <47563@debbugs.gnu.org> Date: Thu, 19 Jun 2025 06:11:28 +0000 retitle 47563 curl is vulnerable to CVE-2021-22890 and CVE-2021-22876 reassign 47563 guix submitter 47563 L=C3=A9o Le Bouter severity 47563 normal tag 47563 security thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 10:04:45 2021 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 14:04:45 +0000 Received: from localhost ([127.0.0.1]:60793 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKPk-00065q-PS for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:04:45 -0400 Received: from lists.gnu.org ([209.51.188.17]:35248) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKPi-00065i-Ij for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:04:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56542) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSKPi-00031e-EK for bug-guix@gnu.org; Fri, 02 Apr 2021 10:04:42 -0400 Received: from mail.zaclys.net ([178.33.93.72]:39769) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSKPg-0001Hk-0k for bug-guix@gnu.org; Fri, 02 Apr 2021 10:04:42 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132E4Zkg037813 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 2 Apr 2021 16:04:36 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132E4Zkg037813 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617372276; bh=wZ+tkaesp+8zpA8DIG5w4c+Rx0qmVIjtylJWYTtu5xI=; h=Subject:From:To:Date:From; b=F8y12PCB3mz+mhQPIKB5fBmzetjxCx2C88lxlBTOfbQQDzD72srqy/7yhQ7pmYOWD kA6g/qfGxgQLNfyPvAIBFpOk34cn39fy/ogazcdwZYFGORMVh9lMCtTcuX4Tkb7W+e TzJ5EyYgdmwPNHZmc7ztgirxUU29wccrtt3z346Q= Message-ID: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> Subject: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Fri, 02 Apr 2021 16:04:31 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-mOK1+BCSGvsyQnPFj8Cj" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.4 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: CVE-2021-22890 01.04.21 20:15 curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When u [...] Content analysis details: (1.4 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [209.51.188.17 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 2.7 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-mOK1+BCSGvsyQnPFj8Cj Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-22890 01.04.21 20:15 curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. CVE-2021-22876 01.04.21 20:15 curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. A WIP patch will follow, please help finishing it (rebase curl-CVE- 2021-22890.patch on 7.74.0). --=-mOK1+BCSGvsyQnPFj8Cj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBnJG8ACgkQRaix6GvN EKav4w/+PCzpWxHBBYPmiJMIFWyKXCYkd9Bt+gEOmrqIDhugxWhOOnHMjLhQieHt 675f4YwieeObGpDBmFyzCzFqshquZle5/Um7ECmvo8wQlRJiEiwYzQFrnt2NLCTo PLc0yQAUCkGv/X9XS2DROhwtibqJUmCXurQlxbnDiLQqcFruI1DedYHYVjRcUsOd EBqzJT8WNmiklE1psVQDuc28Ui05eElhW9ZNLLZFVDyAnad1iWU+FoAfojTz/TDX UavvHZ7ylvc800f1KJV97QSSBCLmqMER/3AktfKB3WiFDZT1BeL0fI1IlJLIcStk eKW3nWqfs2RV6k/iwK3Cyzj+DUHfQtj3YV6vLAKiHWljhyGqQjsEyXcKor6K3oz0 G2dxru+tmyCDJ9Qxo1GmQpVbppmjgA+bTIK22D84f9/j1aicfRR81eSXG3fshUSV 7W7LK76kG/jW6UBx3RBW+GVRwnj/kfwGaP3MhpXzWqrFgkFYXzWgFt8qZi+sU5tC JUODKSvFu30RlI7EOfiBI9KxA6Xv3dWrKV5S60xaLyRDd4EKUzz1MFLOk+NNKZSm e3kQD7e60G0d68LqVKtUC3HHiY+cDdZFZbGrPeCRwcAntiNU2QLS667dQ62B7Yjl atBEUgmU2pkfjJT+CnaM6q1PzWqB7NEsqlvoEnefYxfmS5/TcR4= =5xPw -----END PGP SIGNATURE----- --=-mOK1+BCSGvsyQnPFj8Cj-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 10:05:35 2021 Received: (at control) by debbugs.gnu.org; 2 Apr 2021 14:05:35 +0000 Received: from localhost ([127.0.0.1]:60800 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKQZ-00067l-3m for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:05:35 -0400 Received: from mail.zaclys.net ([178.33.93.72]:52531) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKQW-00067V-Nz for control@debbugs.gnu.org; Fri, 02 Apr 2021 10:05:33 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132E5NPA037905 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 2 Apr 2021 16:05:27 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132E5NPA037905 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617372327; bh=lBGq6eKSUxPuiQQnhJKhJuzwRdAEfzvky1oc/XMEesw=; h=Subject:From:To:Date:From; b=kK6TRJLyZYNUBRYXp1om22J26oOcBYu/T25hmQqd8HEirTgjzDY4cqDlAWoPzH5Ts AysNpV1bJqOAPCc0DvRkm+HjZz3N1uBvBdzWVE9A4UdRNYXt0Z1h/pOFosmZ1/GpR4 mXsIdMi7IoFbKo+vrVfmezBVq6Ci6/QmvnM1iBJw= Message-ID: Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: control@debbugs.gnu.org Date: Fri, 02 Apr 2021 16:05:23 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-WCjkUng1/K4oGoGahJ1C" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47563 + security quit Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) --=-WCjkUng1/K4oGoGahJ1C Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47563 + security quit --=-WCjkUng1/K4oGoGahJ1C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBnJKMACgkQRaix6GvN EKbZJw/+IGXuMV/sWrmsSYyrD7ChObvqxsL+4ppWLW0I9sG1W1UrxhoxipR3B30n VTQS3xHCRURxQq8ikT3eql4JppA+2dYb0u4KUE1+At+6StMuTeER2rGMWGx/Uo0q EqmXO9v+il4JHkd1/K6jr5wHocJLJVNgypk0VCQIOGV6EJ/RcRIstx7/GEUZTktl mcjfscYjXlGYtEMhZMIJ2BXRUSvWoFUc8t71yiBG2eh/Epbt5ExrVRLWZQ/4nHxD W3XHI2dT9Ot080YO6mVLo/QXEFlILTBCxQmk+WA9UmTRKM4Y+6zahXDyWjCpT2Sv grXcZ6rzHYUwOCmF8lMP3UsTwYDAKZjDoe/zvHyJh16cmCHQYcCjwwO+Xpm96qDm T+yRZMnquwhesWPgeVCHDDK/0MUzS8JSZTBX2sYEt1lHMPNcsdRcaBrCTlmrKHHv ROHDjKUY50RzEzNIes3F+NSGKywIsbYkcHt/s3EQaTTTWXSGudP69xlyyuMa8qpn XbqQ3X1VTXIjVe5jbfZVLLs3gXslUtYHznVvD8/E1urFxSeMZS496nqbpsJa6KjV MXq1bSWf5m4O7SBSojRATGV/+U2p0vWnKzrRKR7s6xgBRz/xIm79XBKZugj0AG7j C9vPxXd1x757TMgopBXym+n2szjZCZw+2w+wGwb67TlhOFt76Jc= =dkTp -----END PGP SIGNATURE----- --=-WCjkUng1/K4oGoGahJ1C-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 10:09:52 2021 Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 14:09:52 +0000 Received: from localhost ([127.0.0.1]:60812 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKUi-0006EN-0E for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:09:52 -0400 Received: from mail.zaclys.net ([178.33.93.72]:59381) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKUf-0006E6-Sa for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 10:09:50 -0400 Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132E9gmX038303 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 2 Apr 2021 16:09:43 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132E9gmX038303 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617372583; bh=FbRdcoQmEHeiPUhIDhJzvfuDckXd1R9nvp66tsUL5/M=; h=From:To:Cc:Subject:Date:From; b=HYgmeiGxKnIQ1B6RP8dtpD3M0q2xf+Kci7iH345UKyFTeL2UiUaKbGG/I2Eisr5R7 bs65ohIIgAKnBsQZDkhPjoNp+SmjKY0EBsUkJcv36+IjNw+wCFI0jmClqvwuTMAbQ0 qejMXPKpzWGqDQWFtCjpeCKfJn37qbCG/Z16vi50= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= To: 47563@debbugs.gnu.org Subject: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. Date: Fri, 2 Apr 2021 16:09:39 +0200 Message-Id: <20210402140940.28300-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47563 Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch does not apply and please I need help rebasing it, it looks quite complex. I pushed an upgrade of curl to 7.76.0 which has been much much easier to core-updates already as https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf but unfortunately since curl requires so many rebuilds it seems we can't use such commit on master for now. Léo Le Bouter (1): gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. gnu/local.mk | 2 + gnu/packages/curl.scm | 4 +- .../patches/curl-CVE-2021-22876.patch | 147 ++++++ .../patches/curl-CVE-2021-22890.patch | 499 ++++++++++++++++++ 4 files changed, 651 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch -- 2.31.1 From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 10:10:00 2021 Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 14:10:00 +0000 Received: from localhost ([127.0.0.1]:60814 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKUm-0006Ed-8Z for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:09:59 -0400 Received: from mail.zaclys.net ([178.33.93.72]:33573) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKUg-0006E8-Is for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 10:09:55 -0400 Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132E9gmY038303 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 2 Apr 2021 16:09:45 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132E9gmY038303 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617372585; bh=81gxLnV1C2N03VEVls3ckfejXR9+uSAXKzkeyQ7iS2U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Pjr8jcH0vol6Tq1MS9KJOvSCPTXsLE9LAUpTTIZ1TK9qzyT2pF8X8LK4owCA1E4Cv nFercXpGw5CWQQBYwB0yH5Zieq+cDoIdgKIxZQ9ex0xMNaZ+YxRUvFCiTBdh3hDkPp Ui6gc2ov5cnQp9xb5sD01a+cWFWURIXgVUHeObCo= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= To: 47563@debbugs.gnu.org Subject: [PATCH 1/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. Date: Fri, 2 Apr 2021 16:09:40 +0200 Message-Id: <20210402140940.28300-2-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210402140940.28300-1-lle-bout@zaclys.net> References: <20210402140940.28300-1-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47563 Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/patches/curl-CVE-2021-22876.patch, gnu/packages/patches/curl-CVE-2021-22890.patch: New patches. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/curl.scm (curl): Apply patches. --- gnu/local.mk | 2 + gnu/packages/curl.scm | 4 +- .../patches/curl-CVE-2021-22876.patch | 147 ++++++ .../patches/curl-CVE-2021-22890.patch | 499 ++++++++++++++++++ 4 files changed, 651 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch diff --git a/gnu/local.mk b/gnu/local.mk index f2d595f2cc..cf6f35363f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -919,6 +919,8 @@ dist_patch_DATA =3D \ %D%/packages/patches/crda-optional-gcrypt.patch \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ + %D%/packages/patches/curl-CVE-2021-22890.patch \ + %D%/packages/patches/curl-CVE-2021-22876.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-CVE-2017-12836.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 730676875c..fa02f281cf 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -61,7 +61,9 @@ (sha256 (base32 "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr")) - (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (patches (search-patches "curl-use-ssl-cert-env.patch" + "curl-CVE-2021-22876.patch" + "curl-CVE-2021-22890.patch")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.2 MiB of man3 pages diff --git a/gnu/packages/patches/curl-CVE-2021-22876.patch b/gnu/packages/= patches/curl-CVE-2021-22876.patch new file mode 100644 index 0000000000..b67a1be16a --- /dev/null +++ b/gnu/packages/patches/curl-CVE-2021-22876.patch @@ -0,0 +1,147 @@ +From 7214288898f5625a6cc196e22a74232eada7861c Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Tue, 23 Feb 2021 14:54:46 +0100 +Subject: [PATCH] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html +--- + lib/transfer.c | 25 ++++++++++++++-- + tests/data/Makefile.inc | 2 +- + tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 90 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test2081 + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1976bc0338bc..a68c021c84d6 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1581,6 +1581,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->state.followlocation++; /* count location-followers */ +=20 + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the refe= rer + when we get the next URL. We pick the ->url field, which may o= r may + not be 100% correct */ +@@ -1590,9 +1593,27 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc =3D FALSE; + } +=20 +- data->change.referer =3D strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u =3D curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc =3D curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc =3D curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc =3D curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc =3D curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc =3D curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer =3D=3D NULL) + return CURLE_OUT_OF_MEMORY; ++ ++ data->change.referer =3D referer; + data->change.referer_alloc =3D TRUE; /* yes, free this later */ + } + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 2c7a0ca89fd8..ea52683d2254 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -225,7 +225,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \ + test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ + test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ + test2078 \ +-test2080 \ ++test2080 test2081 \ + test2100 \ + \ + test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \ +diff --git a/tests/data/test2081 b/tests/data/test2081 +new file mode 100644 +index 000000000000..a6733e737beb +--- /dev/null ++++ b/tests/data/test2081 +@@ -0,0 +1,66 @@ ++ ++ ++ ++HTTP ++HTTP GET ++referer ++followlocation ++--write-out ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose=0D ++Location: data/%TESTNUMBER0002.txt?coolsite=3Dyes=0D ++Content-Length: 62=0D ++Connection: close=0D ++=0D ++This server reply is for testing a simple Location: following ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++Automatic referrer credential and anchor stripping check ++ ++ ++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --locat= ion --referer ';auto' --write-out '%{referer}\n' ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++52 ++ ++ ++GET /we/want/our/%TESTNUMBER HTTP/1.1=0D ++Host: %HOSTIP:%HTTPPORT=0D ++Authorization: Basic dXNlcjpwYXNz=0D ++User-Agent: curl/%VERSION=0D ++Accept: */*=0D ++=0D ++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=3Dyes HTTP/1.1=0D ++Host: %HOSTIP:%HTTPPORT=0D ++Authorization: Basic dXNlcjpwYXNz=0D ++User-Agent: curl/%VERSION=0D ++Accept: */*=0D ++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER=0D ++=0D ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose=0D ++Location: data/%TESTNUMBER0002.txt?coolsite=3Dyes=0D ++Content-Length: 62=0D ++Connection: close=0D ++=0D ++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++ ++ diff --git a/gnu/packages/patches/curl-CVE-2021-22890.patch b/gnu/packages/= patches/curl-CVE-2021-22890.patch new file mode 100644 index 0000000000..f01bc20530 --- /dev/null +++ b/gnu/packages/patches/curl-CVE-2021-22890.patch @@ -0,0 +1,499 @@ +From b09c8ee15771c614c4bf3ddac893cdb12187c844 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Mar 2021 12:38:49 +0100 +Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid= () + +To make sure we set and extract the correct session. + +Reported-by: Mingtao Yang +Bug: https://curl.se/docs/CVE-2021-22890.html + +CVE-2021-22890 +--- + lib/vtls/bearssl.c | 8 +++++-- + lib/vtls/gtls.c | 12 ++++++---- + lib/vtls/mbedtls.c | 12 ++++++---- + lib/vtls/mesalink.c | 14 ++++++++---- + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++----------- + lib/vtls/schannel.c | 10 ++++---- + lib/vtls/sectransp.c | 10 ++++---- + lib/vtls/vtls.c | 12 +++++++--- + lib/vtls/vtls.h | 2 ++ + lib/vtls/wolfssl.c | 13 +++++++---- + 10 files changed, 103 insertions(+), 44 deletions(-) + +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c +index 36c32d8d55be..39fc1a29209c 100644 +--- a/lib/vtls/bearssl.c ++++ b/lib/vtls/bearssl.c +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy= *data, + void *session; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &session, NULL, sockindex)) { + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); + infof(data, "BearSSL: re-using session ID\n"); + } +@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_ea= sy *data, + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); + Curl_ssl_sessionid_lock(data); + incache =3D !(Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + &oldsession, NULL, sockindex)); + if(incache) + Curl_ssl_delsessionid(data, oldsession); +- ret =3D Curl_ssl_addsessionid(data, conn, session, 0, sockindex); ++ ret =3D Curl_ssl_addsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ session, 0, sockindex); + Curl_ssl_sessionid_unlock(data); + if(ret) { + free(session); +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index a75937b4646c..3b0d940a60e1 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -727,6 +727,7 @@ gtls_connect_step1(struct Curl_easy *data, +=20 + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, &ssl_idsize, sockindex)) { + /* we got a session id, use it! */ + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); +@@ -1286,8 +1287,9 @@ gtls_connect_step3(struct Curl_easy *data, + gnutls_session_get_data(session, connect_sessionid, &connect_idsize= ); +=20 + Curl_ssl_sessionid_lock(data); +- incache =3D !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NUL= L, +- sockindex)); ++ incache =3D !(Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)); + if(incache) { + /* there was one before in the cache, so instead of risking that = the + previous one was rejected, we just kill that and store the new= */ +@@ -1295,8 +1297,10 @@ gtls_connect_step3(struct Curl_easy *data, + } +=20 + /* store this session id */ +- result =3D Curl_ssl_addsessionid(data, conn, connect_sessionid, +- connect_idsize, sockindex); ++ result =3D Curl_ssl_addsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ connect_sessionid, connect_idsize, ++ sockindex); + Curl_ssl_sessionid_unlock(data); + if(result) { + free(connect_sessionid); +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 95cd4d99b665..93a7ac1fd87d 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct conn= ectdata *conn, + void *old_session =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex))= { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &old_session, NULL, sockindex)) { + ret =3D mbedtls_ssl_set_session(&backend->ssl, old_session); + if(ret) { + Curl_ssl_sessionid_unlock(data); +@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct conn= ectdata *conn, + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid =3D NULL; ++ bool isproxy =3D SSL_IS_PROXY() ? TRUE : FALSE; +=20 + our_ssl_sessionid =3D malloc(sizeof(mbedtls_ssl_session)); + if(!our_ssl_sessionid) +@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct co= nnectdata *conn, +=20 + /* If there's already a matching session in the cache, delete it */ + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, socki= ndex)) ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NU= LL, ++ sockindex)) + Curl_ssl_delsessionid(data, old_ssl_sessionid); +=20 +- retcode =3D Curl_ssl_addsessionid(data, conn, +- our_ssl_sessionid, 0, sockindex); ++ retcode =3D Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessio= nid, ++ 0, sockindex); + Curl_ssl_sessionid_unlock(data); + if(retcode) { + mbedtls_ssl_session_free(our_ssl_sessionid); +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c +index 4f1ab8627f49..5d6a1495d790 100644 +--- a/lib/vtls/mesalink.c ++++ b/lib/vtls/mesalink.c +@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data, + void *ssl_sessionid =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex= )) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(data); +@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int= sockindex) + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid =3D NULL; ++ bool isproxy =3D SSL_IS_PROXY() ? TRUE : FALSE; +=20 + our_ssl_sessionid =3D SSL_get_session(BACKEND->handle); +=20 + Curl_ssl_sessionid_lock(data); + incache =3D +- !(Curl_ssl_getsessionid(data, conn, +- &old_ssl_sessionid, NULL, sockindex)); ++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NU= LL, ++ sockindex)); + if(incache) { + if(old_ssl_sessionid !=3D our_ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int s= ockindex) + } +=20 + if(!incache) { +- result =3D Curl_ssl_addsessionid( +- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); ++ result =3D ++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0, ++ sockindex); + if(result) { + Curl_ssl_sessionid_unlock(data); + failf(data, "failed to store ssl session"); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 498f8b9d1d08..68b98984b460 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -393,12 +393,23 @@ static int ossl_get_ssl_conn_index(void) + */ + static int ossl_get_ssl_sockindex_index(void) + { +- static int ssl_ex_data_sockindex_index =3D -1; +- if(ssl_ex_data_sockindex_index < 0) { +- ssl_ex_data_sockindex_index =3D SSL_get_ex_new_index(0, NULL, NULL, N= ULL, +- NULL); ++ static int sockindex_index =3D -1; ++ if(sockindex_index < 0) { ++ sockindex_index =3D SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } +- return ssl_ex_data_sockindex_index; ++ return sockindex_index; ++} ++ ++/* Return an extra data index for proxy boolean. ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). ++ */ ++static int ossl_get_proxy_index(void) ++{ ++ static int proxy_index =3D -1; ++ if(proxy_index < 0) { ++ proxy_index =3D SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ++ } ++ return proxy_index; + } +=20 + static int passwd_callback(char *buf, int num, int encrypting, +@@ -1174,7 +1185,7 @@ static int ossl_init(void) +=20 + /* Initialize the extra data indexes */ + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || +- ossl_get_ssl_sockindex_index() < 0) ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) + return 0; +=20 + return 1; +@@ -2432,8 +2443,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSIO= N *ssl_sessionid) + int data_idx =3D ossl_get_ssl_data_index(); + int connectdata_idx =3D ossl_get_ssl_conn_index(); + int sockindex_idx =3D ossl_get_ssl_sockindex_index(); ++ int proxy_idx =3D ossl_get_proxy_index(); ++ bool isproxy; +=20 +- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) ++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_id= x < 0) + return 0; +=20 + conn =3D (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); +@@ -2446,13 +2459,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSI= ON *ssl_sessionid) + sockindex_ptr =3D (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); + sockindex =3D (int)(sockindex_ptr - conn->sock); +=20 ++ isproxy =3D SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; ++ + if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + void *old_ssl_sessionid =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- incache =3D !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, N= ULL, +- sockindex)); ++ if(isproxy) ++ incache =3D FALSE; ++ else ++ incache =3D !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockind= ex)); + if(incache) { + if(old_ssl_sessionid !=3D ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -2462,8 +2480,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION= *ssl_sessionid) + } +=20 + if(!incache) { +- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, +- 0 /* unknown size */, sockindex)) { ++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, ++ 0 /* unknown size */, sockindex)) { + /* the session has been put into the session cache */ + res =3D 1; + } +@@ -3193,17 +3211,27 @@ static CURLcode ossl_connect_step1(struct Curl_eas= y *data, + int data_idx =3D ossl_get_ssl_data_index(); + int connectdata_idx =3D ossl_get_ssl_conn_index(); + int sockindex_idx =3D ossl_get_ssl_sockindex_index(); ++ int proxy_idx =3D ossl_get_proxy_index(); +=20 +- if(data_idx >=3D 0 && connectdata_idx >=3D 0 && sockindex_idx >=3D 0)= { ++ if(data_idx >=3D 0 && connectdata_idx >=3D 0 && sockindex_idx >=3D 0 = && ++ proxy_idx >=3D 0) { + /* Store the data needed for the "new session" callback. + * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, data_idx, data); + SSL_set_ex_data(backend->handle, connectdata_idx, conn); + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockin= dex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void = *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ + } +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex= )) { ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(data); +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index d7b89d43f892..931bd853eb8e 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct = connectdata *conn, + if(SSL_SET_OPTION(primary.sessionid)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + (void **)&old_cred, NULL, sockindex)) { + BACKEND->cred =3D old_cred; + DEBUGF(infof(data, "schannel: re-using existing credential handle\n= ")); +@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struc= t connectdata *conn, + struct ssl_connect_data *connssl =3D &conn->ssl[sockindex]; + SECURITY_STATUS sspi_status =3D SEC_E_OK; + CERT_CONTEXT *ccert_context =3D NULL; ++ bool isproxy =3D SSL_IS_PROXY(); + #ifdef DEBUGBUILD +- const char * const hostname =3D SSL_IS_PROXY() ? conn->http_proxy.host.= name : ++ const char * const hostname =3D isproxy ? conn->http_proxy.host.name : + conn->host.name; + #endif + #ifdef HAS_ALPN +@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struc= t connectdata *conn, + struct Curl_schannel_cred *old_cred =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- incache =3D !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, N= ULL, +- sockindex)); ++ incache =3D !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ol= d_cred, ++ NULL, sockindex)); + if(incache) { + if(old_cred !=3D BACKEND->cred) { + DEBUGF(infof(data, +@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struc= t connectdata *conn, + } + } + if(!incache) { +- result =3D Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, ++ result =3D Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred, + sizeof(struct Curl_schannel_cred), + sockindex); + if(result) { +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 05b57dfaad91..e69b99b72cd6 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Cur= l_easy *data, + char * const ssl_cert =3D SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob =3D SSL_SET_OPTION(primary.cert_b= lob); + #ifndef CURL_DISABLE_PROXY +- const char * const hostname =3D SSL_IS_PROXY() ? conn->http_proxy.host.= name : ++ bool isproxy =3D SSL_IS_PROXY(); ++ const char * const hostname =3D isproxy ? conn->http_proxy.host.name : + conn->host.name; + const long int port =3D SSL_IS_PROXY() ? conn->port : conn->remote_port; + #else ++ const isproxy =3D FALSE; + const char * const hostname =3D conn->host.name; + const long int port =3D conn->remote_port; + #endif +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_= easy *data, + #ifdef USE_NGHTTP2 + if(data->state.httpversion >=3D CURL_HTTP_VERSION_2 + #ifndef CURL_DISABLE_PROXY +- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) ++ && (!isproxy || !conn->bits.tunnel_proxy) + #endif + ) { + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_= easy *data, + size_t ssl_sessionid_len; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessioni= d, + &ssl_sessionid_len, sockindex)) { + /* we got a session id, use it! */ + err =3D SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid= _len); +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_= easy *data, + return CURLE_SSL_CONNECT_ERROR; + } +=20 +- result =3D Curl_ssl_addsessionid(data, conn, ssl_sessionid, ++ result =3D Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, + ssl_sessionid_len, sockindex); + Curl_ssl_sessionid_unlock(data); + if(result) { +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 6a0069237fdb..95fd6356285f 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isProxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex) +@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + bool no_match =3D TRUE; +=20 + #ifndef CURL_DISABLE_PROXY +- const bool isProxy =3D CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config =3D isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct ssl_primary_config * const ssl_config =3D &conn->ssl_config; + const char * const name =3D conn->host.name; + int port =3D conn->remote_port; +- (void)sockindex; + #endif ++ (void)sockindex; + *ssl_sessionid =3D NULL; +=20 ++#ifdef CURL_DISABLE_PROXY ++ if(isProxy) ++ return TRUE; ++#endif ++ + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); +=20 + if(!SSL_SET_OPTION(primary.sessionid)) +@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, voi= d *ssl_sessionid) + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex) +@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + int conn_to_port; + long *general_age; + #ifndef CURL_DISABLE_PROXY +- const bool isProxy =3D CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config =3D isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + const char *hostname =3D conn->host.name; + (void)sockindex; + #endif ++ (void)sockindex; + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); +=20 + clone_host =3D strdup(hostname); +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index 273184f1894a..2b43e7744b19 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -235,6 +235,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isproxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex); +@@ -245,6 +246,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex); +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c +index 7159ac9d5e64..8fb2ea7acf31 100644 +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct c= onnectdata *conn, + void *ssl_sessionid =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex= )) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + char error_buffer[WOLFSSL_MAX_ERROR_SZ]; +@@ -772,11 +774,12 @@ wolfssl_connect_step3(struct Curl_easy *data, struct= connectdata *conn, + bool incache; + void *old_ssl_sessionid =3D NULL; + SSL_SESSION *our_ssl_sessionid =3D SSL_get_session(backend->handle); ++ bool isproxy =3D SSL_IS_PROXY() ? TRUE : FALSE; +=20 + if(our_ssl_sessionid) { + Curl_ssl_sessionid_lock(data); +- incache =3D !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid,= NULL, +- sockindex)); ++ incache =3D !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockind= ex)); + if(incache) { + if(old_ssl_sessionid !=3D our_ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -786,8 +789,8 @@ wolfssl_connect_step3(struct Curl_easy *data, struct c= onnectdata *conn, + } +=20 + if(!incache) { +- result =3D Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, +- 0 /* unknown size */, sockindex); ++ result =3D Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_ses= sionid, ++ 0, sockindex); + if(result) { + Curl_ssl_sessionid_unlock(data); + failf(data, "failed to store ssl session"); --=20 2.31.1 From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 14:22:15 2021 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 18:22:15 +0000 Received: from localhost ([127.0.0.1]:32831 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSOQx-0008IE-1f for submit@debbugs.gnu.org; Fri, 02 Apr 2021 14:22:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:53714) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSOQw-0008I7-2a for submit@debbugs.gnu.org; Fri, 02 Apr 2021 14:22:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57640) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSOQv-00056Z-T1 for bug-guix@gnu.org; Fri, 02 Apr 2021 14:22:13 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:35967) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSOQt-0002JJ-Hs for bug-guix@gnu.org; Fri, 02 Apr 2021 14:22:13 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 603DF140F; Fri, 2 Apr 2021 14:22:09 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Fri, 02 Apr 2021 14:22:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=WN7333Uihk+Dcj7iUGeSry1XF50ie7TW5H6Mh5Q2uis=; b=c0nDoXjYC3OZ rcTBOVlpMc0aqFB/7tDy+JDYGd2a/U66FTcVWWoeEzYo3xQtrQXwESxtsuVOap+D F49E0ZphWI1fi/z3r+R0QVDh2VGemqvpjMHa8GAjqDq29F8vJV3ckzdd9q0AL1yj R6yVYiybvxwTSNNy5i/HAakpp5jjQp4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=WN7333Uihk+Dcj7iUGeSry1XF50ie7TW5H6Mh5Q2u is=; b=CSvo0b2cj9i1K30MSPmbcEF27rnFrckku3xdv0n4225cze58BbzC/kI9v b4cX5QrK+VA4vwefpVTTmnZsGPmcsPwgDElcurE29uWH7xuZ2d1aAx8Dd2OydwSJ 3f8TPN27Q1VVXwOKjWLX01seaOfLN+iRtxOFzI5SoH2K5y8fcnjiijUseGXqJrAg QBlS+PgSMQrFF8o0XG0XclttnrpzQXTOKrDr31DUry6U2P3i70wPedTF0X5nI9Oc zHdEmFmkuU816NsMsXZ48wVvod+QiHNyhYZVfSgcvC+qWioivjf0aVITEjqJrUJO nPipQwQHmtIQkzp+pSRHdKnvaujUQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiiedguddvudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggugfgjsehtkeertddttddunecuhfhrohhmpefnvgho ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg htthgvrhhnpeejgfeileekhefgjeduteffhfefveffjeefheelfeduteevfeeujeevleff jeejjeenucffohhmrghinhepghhnuhdrohhrghdptghurhhlrdhsvgenucfkphepieelrd duvddtrdelvddrvddtkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 4B0C91080057; Fri, 2 Apr 2021 14:22:08 -0400 (EDT) Date: Fri, 2 Apr 2021 14:22:06 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. Message-ID: References: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> <20210402140940.28300-1-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20210402140940.28300-1-lle-bout@zaclys.net> Received-SPF: pass client-ip=64.147.123.20; envelope-from=leo@famulari.name; helo=wout4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: 47563@debbugs.gnu.org, =?iso-8859-1?B?TOlv?= Le Bouter X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) On Fri, Apr 02, 2021 at 04:09:39PM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote: > curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch > does not apply and please I need help rebasing it, it looks quite complex. > > I pushed an upgrade of curl to 7.76.0 which has been much much easier to > core-updates already as > https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf > but unfortunately since curl requires so many rebuilds it seems we can't use > such commit on master for now. Can we try grafting an "upgrade" to 7.76.0? In my experience, most curl upgrades are graftable. Curl's developers are very careful with their ABI and even maintain their own page on the subject: From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 14:44:21 2021 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 18:44:21 +0000 Received: from localhost ([127.0.0.1]:32852 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSOmL-0000P7-3n for submit@debbugs.gnu.org; Fri, 02 Apr 2021 14:44:21 -0400 Received: from lists.gnu.org ([209.51.188.17]:37738) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSOmJ-0000P0-Du for submit@debbugs.gnu.org; Fri, 02 Apr 2021 14:44:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34418) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSOmJ-0003YT-6r for bug-guix@gnu.org; Fri, 02 Apr 2021 14:44:19 -0400 Received: from mail.zaclys.net ([178.33.93.72]:48371) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSOmH-0007Ua-DE for bug-guix@gnu.org; Fri, 02 Apr 2021 14:44:18 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132Ii4Jp002971 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 2 Apr 2021 20:44:04 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132Ii4Jp002971 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617389045; bh=0VQt4NVYZqb1BGhJyIpbk400HWYKIiIWyKTbw4eTytQ=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=BlhSFbEEuYGB7TyypW193b4dzumCgO0Bi4cZG6IrEDTU1LJP/3COqnDYkeoSnjOAW IVupJ2O+zHfmh+RYWUSUx8PZsYnfvlH77T1szYVxdpIeaniYRZQd5oOAIB/bD+P3OV dl6gTzefygMYIhszzRqa2hRbpSvsTALXK4gRaXdg= Message-ID: <6d54754e99e6dabb669e16b2036485fbaa64b318.camel@zaclys.net> Subject: Re: bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Leo Famulari , =?ISO-8859-1?Q?L=E9o?= Le Bouter via Bug reports for GNU Guix Date: Fri, 02 Apr 2021 20:43:59 +0200 In-Reply-To: References: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> <20210402140940.28300-1-lle-bout@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-CnMrqYUJBP4cAC+Lrp2O" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.4 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Fri, 2021-04-02 at 14:22 -0400, Leo Famulari wrote: > > Can we try grafting an "upgrade" to 7.76.0? In my experience, most > curl > upgrades are graftable. > > Curl's developers are very careful wi [...] Content analysis details: (1.4 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [209.51.188.17 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 2.7 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP X-Debbugs-Envelope-To: submit Cc: 47563@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-CnMrqYUJBP4cAC+Lrp2O Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2021-04-02 at 14:22 -0400, Leo Famulari wrote: >=20 > Can we try grafting an "upgrade" to 7.76.0? In my experience, most > curl > upgrades are graftable. >=20 > Curl's developers are very careful with their ABI and even maintain > their own page on the subject: If you think that's OK, let's do it! I see indeed from that page there should be no problem. Will send a patch shortly. --=-CnMrqYUJBP4cAC+Lrp2O Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBnZe8ACgkQRaix6GvN EKZRpBAAu0jSyDC45KwphQc0YSZ21i6TpT6IbemgusCv2lCyfaf/uXMYzHWqoi2a D5lh0ll5UnWnRDcElNMjdMpK4dmJ2s88g/7O2XuTiqn+At92u4spmw+KUVsaIngg 582DyP4ebkji47fK2S4BF3vBC73BWrrUPoOizFsZ145hPC1o19+qLm5f82G8bnS1 vPi+alC3Xob62TWZ1PthUX1VJr8rd4SC0mZXNBhM0iTCO2wmUwcJHBCSCnSfohxG DAlAvBsRe849JDDCiOcYQK1Qx/If9EjIXRtafXgid+CzwgygvjUK343Bys1W1y6p pebpd5VGRQNvNmqtOiix03Oxkjlt93FvImDsIIkxwjn5+iKLrBgikNAVlGSiDZr1 7wX4CtjfsFJwnOGdCuoL4/O/WWbet6rcJwxl2SvMPf0mKxJhSAhS4PgWVk5Dm4vm lagmHnw4p7Mb0543VF6Mfc5/WcDg4/P/t0sFBI6CJQ01Kb3JE+9Zo3nnaNcXTXZf AoMn/M1EnnOx8ZjyIA6HslcZJ51V0AmkfNZXeBvZJ8YXXCM/ORUeiHhwJPl+QQo4 qFg53Bsks8DR5ZBRN6OQmW6qHqzVh+0BvrwKOHG3gaOgt0dJ8oXI+6dwOxns7ye6 kiJNWZzo6Vtqup6w3xShmEuZVLHoqoURop6MLIJ//YoYIvVIAuo= =akFM -----END PGP SIGNATURE----- --=-CnMrqYUJBP4cAC+Lrp2O-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 15:24:21 2021 Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 19:24:21 +0000 Received: from localhost ([127.0.0.1]:32865 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSPP2-0001Mm-Mk for submit@debbugs.gnu.org; Fri, 02 Apr 2021 15:24:21 -0400 Received: from mail.zaclys.net ([178.33.93.72]:42383) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSPP0-0001MV-GZ for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 15:24:19 -0400 Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132JOBrF005560 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 2 Apr 2021 21:24:11 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132JOBrF005560 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617391452; bh=+eV/yYXsdDsAY2TqsnKJlV3+69gMcFgbnnM4cJ8vyi8=; h=From:To:Cc:Subject:Date:From; b=P0lvHiEAxIhF13Kmqzh4vDiGSpdXrRapo+z3yzjuot8H9xId413Ep69eAft90aWbe PJevZDNptxpdukkpKNqlRKr6NbzzKvAUZkhwllN2kCGl9qebyDzuCtamquX6Z20Uc6 a+Hduz/xZ7s7QfmjdR6ogmoM4YMe23lbjG8j7r3U= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= To: 47563@debbugs.gnu.org Subject: [PATCH] gnu: curl: Update to 7.76.0 [security fixes]. Date: Fri, 2 Apr 2021 21:24:09 +0200 Message-Id: <20210402192409.22018-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47563 Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Fixes CVE-2021-22876 and CVE-2021-22890. * gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/curl.scm (curl/fixed): New variable. Apply patch. (curl)[replacement]: Graft. --- gnu/local.mk | 1 + gnu/packages/curl.scm | 14 ++++ .../patches/curl-7.76-use-ssl-cert-env.patch | 64 +++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1a767a6c89..0d472072ae 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -920,6 +920,7 @@ dist_patch_DATA = \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ + %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-CVE-2017-12836.patch \ %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 730676875c..5608d556e7 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -62,6 +62,7 @@ (base32 "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr")) (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (replacement curl/fixed) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.2 MiB of man3 pages @@ -151,6 +152,19 @@ tunneling, and so on.") (name "curl-minimal") (inputs (alist-delete "openldap" (package-inputs curl)))))) +(define-public curl/fixed + (package + (inherit curl) + (version "7.76.0") + (source + (origin + (inherit (package-source curl)) + (uri (string-append "https://curl.haxx.se/download/curl-" + version ".tar.xz")) + (sha256 + (base32 + "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3")))))) + (define-public kurly (package (name "kurly") diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch new file mode 100644 index 0000000000..24be6e31d9 --- /dev/null +++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch @@ -0,0 +1,64 @@ +Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables +are fetched during initialization to preserve thread-safety (curl_global_init(3) +must be called when no other threads exist). + +This fixes network functionality in rust:cargo, and probably removes the need +for other future workarounds. +=================================================================== +--- curl-7.66.0.orig/lib/easy.c 2020-01-02 15:43:11.883921171 +0100 ++++ curl-7.66.0/lib/easy.c 2020-01-02 16:18:54.691882797 +0100 +@@ -134,6 +134,9 @@ + # pragma warning(default:4232) /* MSVC extension, dllimport identity */ + #endif + ++char * Curl_ssl_cert_dir = NULL; ++char * Curl_ssl_cert_file = NULL; ++ + /** + * curl_global_init() globally initializes curl given a bitwise set of the + * different features of what to initialize. +@@ -155,6 +158,9 @@ + #endif + } + ++ Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR"); ++ Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE"); ++ + if(!Curl_ssl_init()) { + DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n")); + return CURLE_FAILED_INIT; +@@ -260,6 +266,9 @@ + Curl_ssl_cleanup(); + Curl_resolver_global_cleanup(); + ++ free(Curl_ssl_cert_dir); ++ free(Curl_ssl_cert_file); ++ + #ifdef WIN32 + Curl_win32_cleanup(init_flags); + #endif +diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c +--- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100 ++++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100 +@@ -524,6 +524,21 @@ + if(result) + return result; + #endif ++ extern char * Curl_ssl_cert_dir; ++ extern char * Curl_ssl_cert_file; ++ if(Curl_ssl_cert_dir) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) ++ return result; ++ } ++ ++ if(Curl_ssl_cert_file) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) ++ return result; ++ } + } + + set->wildcard_enabled = FALSE; -- 2.31.1 From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 15:33:14 2021 Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 19:33:14 +0000 Received: from localhost ([127.0.0.1]:32881 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSPXd-0001b5-Ql for submit@debbugs.gnu.org; Fri, 02 Apr 2021 15:33:14 -0400 Received: from mail.zaclys.net ([178.33.93.72]:52469) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSPXb-0001aq-MX for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 15:33:12 -0400 Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132JX4OC006117 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 2 Apr 2021 21:33:05 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132JX4OC006117 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617391985; bh=D3NhbkaPee69MUjxRBkGyg/sTs14mEVD9ORoKc7Zl5A=; h=From:To:Cc:Subject:Date:From; b=RD/giAspitxCkjzRLYpseOYXRQuEJ9zBFPSd2UkocEV74xOVTIdtvDR9eelzvW1E5 lSe6g80M9vvsoolsQq3DcMV9gnoaC2J4YxPxskGGKkYEoRG+WFCAbyan2ROoFH7bt+ gwHXnwRFog3jvQiRfrTRn3CdnMMd45J8hMm2nrSU= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= To: 47563@debbugs.gnu.org Subject: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes]. Date: Fri, 2 Apr 2021 21:33:02 +0200 Message-Id: <20210402193302.23602-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47563 Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Fixes CVE-2021-22876 and CVE-2021-22890. * gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/curl.scm (curl/fixed): New variable. Apply patch. (curl)[replacement]: Graft. --- gnu/local.mk | 1 + gnu/packages/curl.scm | 15 +++++ .../patches/curl-7.76-use-ssl-cert-env.patch | 64 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1a767a6c89..0d472072ae 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -920,6 +920,7 @@ dist_patch_DATA = \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ + %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-CVE-2017-12836.patch \ %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 730676875c..94dc51cfc5 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -62,6 +62,7 @@ (base32 "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr")) (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (replacement curl/fixed) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.2 MiB of man3 pages @@ -151,6 +152,20 @@ tunneling, and so on.") (name "curl-minimal") (inputs (alist-delete "openldap" (package-inputs curl)))))) +(define-public curl/fixed + (package + (inherit curl) + (version "7.76.0") + (source + (origin + (inherit (package-source curl)) + (uri (string-append "https://curl.haxx.se/download/curl-" + version ".tar.xz")) + (patches (search-patches "curl-7.76-use-ssl-cert-env.patch")) + (sha256 + (base32 + "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3")))))) + (define-public kurly (package (name "kurly") diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch new file mode 100644 index 0000000000..24be6e31d9 --- /dev/null +++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch @@ -0,0 +1,64 @@ +Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables +are fetched during initialization to preserve thread-safety (curl_global_init(3) +must be called when no other threads exist). + +This fixes network functionality in rust:cargo, and probably removes the need +for other future workarounds. +=================================================================== +--- curl-7.66.0.orig/lib/easy.c 2020-01-02 15:43:11.883921171 +0100 ++++ curl-7.66.0/lib/easy.c 2020-01-02 16:18:54.691882797 +0100 +@@ -134,6 +134,9 @@ + # pragma warning(default:4232) /* MSVC extension, dllimport identity */ + #endif + ++char * Curl_ssl_cert_dir = NULL; ++char * Curl_ssl_cert_file = NULL; ++ + /** + * curl_global_init() globally initializes curl given a bitwise set of the + * different features of what to initialize. +@@ -155,6 +158,9 @@ + #endif + } + ++ Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR"); ++ Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE"); ++ + if(!Curl_ssl_init()) { + DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n")); + return CURLE_FAILED_INIT; +@@ -260,6 +266,9 @@ + Curl_ssl_cleanup(); + Curl_resolver_global_cleanup(); + ++ free(Curl_ssl_cert_dir); ++ free(Curl_ssl_cert_file); ++ + #ifdef WIN32 + Curl_win32_cleanup(init_flags); + #endif +diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c +--- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100 ++++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100 +@@ -524,6 +524,21 @@ + if(result) + return result; + #endif ++ extern char * Curl_ssl_cert_dir; ++ extern char * Curl_ssl_cert_file; ++ if(Curl_ssl_cert_dir) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) ++ return result; ++ } ++ ++ if(Curl_ssl_cert_file) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) ++ return result; ++ } + } + + set->wildcard_enabled = FALSE; -- 2.31.1 From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 15:34:40 2021 Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 19:34:40 +0000 Received: from localhost ([127.0.0.1]:32885 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSPZ2-0001dC-9Y for submit@debbugs.gnu.org; Fri, 02 Apr 2021 15:34:40 -0400 Received: from mail.zaclys.net ([178.33.93.72]:36911) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSPZ0-0001cx-Hb for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 15:34:39 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132JYWvc006193 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <47563@debbugs.gnu.org>; Fri, 2 Apr 2021 21:34:32 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132JYWvc006193 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617392072; bh=jHKrm2iALSzRZ9XVDkhFAq/EZjsGnW6xywFcCYeWy/0=; h=Subject:From:To:Date:In-Reply-To:References:From; b=heUOY+2pYj3/0fMA+iHxngIVR8A3AS8uGHUszv2fR1jf3eHhVBJN5GP5gXvvoO3JP PZe4sZetDe52LgGYduTylOfH4rz5mEcmtu35+HmLnlMGkDp+z8HnYrDflMuOMw3ECy TCTYPgC3y/JnmAtjDVTb6poyAJFBVYcNIHmBX1sw= Message-ID: <71da0b112604e124d8227287345f519ca31850d6.camel@zaclys.net> Subject: Re: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes]. From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: 47563@debbugs.gnu.org Date: Fri, 02 Apr 2021 21:34:31 +0200 In-Reply-To: <20210402193302.23602-1-lle-bout@zaclys.net> References: <20210402193302.23602-1-lle-bout@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-cclSP67IfmQ9FaPsj1rs" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47563 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-cclSP67IfmQ9FaPsj1rs Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable To me, that last patch is ready to merge. Please push if you feel that's OK too, don't wait for me! Thanks! --=-cclSP67IfmQ9FaPsj1rs Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBncccACgkQRaix6GvN EKZ/thAAlgYzzj5As+dTync+rqInsGTSIc/0xxVA7Zf7poX6cUb5j3BnrcLtbwgW vvuNGfW0t3I6WN3wzVi8lzRfBHJN+80TuaX5nDAy0ep4yEsPOsSMz76LiM8qxPOT B7c3VsBJRcZ5XcDhat7SAbnWcxZO2C/V5ET6UCwrcv1wjj/MYw6jv95ExHd5uLgy DqTUlNr+4wGPyaODtbnBUwQ0pMZADWhEgK8fAPmr9pyk2mSJQ/XbMOeve95dSHg4 USxGwt8Y+7J6mOUGXSXxqTaRc3I4h/AUcKmVNqr9oqvzYfJbD0e7EIBxYt9vYIAL IK6UXJKAtXfPY0H36XVbtNiqw8iDHN3oL8CDkLC/LSZB1ej3NriubQHuIc9xvNRJ 4Suabynx9cvuxoIO082RpXC/LEgmqotV8u/qCQ3rL9GatkyR7du0OQMUFE+iIRE8 vkG8MRPl8DK9/M//uxIBKPI0ywB0y2ijzSjmFZ6X3C+6Ja4okXawq23eE/aLHrVT XdFFhYuFc3JQHLmGw9OUGhR5o7hOan0YqjX1///x/nR/Jqh6AB6gWtDaTu2wpzvV voNR0DYyTlhzCUFZ01GZ9rrWYb0i1J+xIcYAPXCAR7Wik/eXpYGp6Aj/5m6JPCUi RcF7SMOerxvkrNfUwV8uvuDwpH15M8Yl5qTKrRsrCPeBFMawNTY= =lOck -----END PGP SIGNATURE----- --=-cclSP67IfmQ9FaPsj1rs-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 16:36:18 2021 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 20:36:18 +0000 Received: from localhost ([127.0.0.1]:32917 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSQWg-0003Gm-Kg for submit@debbugs.gnu.org; Fri, 02 Apr 2021 16:36:18 -0400 Received: from lists.gnu.org ([209.51.188.17]:60162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSQWd-0003GS-Tj for submit@debbugs.gnu.org; Fri, 02 Apr 2021 16:36:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52800) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSQWd-0000RQ-Mv for bug-guix@gnu.org; Fri, 02 Apr 2021 16:36:15 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:47051) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSQWb-0001Ux-ST for bug-guix@gnu.org; Fri, 02 Apr 2021 16:36:15 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id F394E161C; Fri, 2 Apr 2021 16:36:08 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Fri, 02 Apr 2021 16:36:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=cDU/gidI+h8gz8MysBrBQFqr e55MKv6tRF6cfQsoU3I=; b=PuRgWLg6MCMQRARIyl0NQeHI7MaNrcWVtqPfnIF+ WeHCgHscXejweBoWdvGzXCCvrDl7D5JP0Cehd1ye9WvBROVp/73mBXTk+V+V4gaV IkQbTulkIwpghceBkY7FuahMdUeVnoMRWOLJhHisU6gQiEe1QfqdZ5yrgEWtDDl5 0TA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=cDU/gi dI+h8gz8MysBrBQFqre55MKv6tRF6cfQsoU3I=; b=dOTyhc+XvS4zEWg7YIVSpK JaxEHeTzrkxbvs7rChFXMP/otrX1Bd7Y8WKHmCw3AbNMZ8BEfE/bPf64XU0tswwZ efPPXl0FdQsr92T165TyR0F7ni3yFej2XRns3FVaW5+GbKq0vF9o0xlGeKWa+qzH GJ+agaPqc32Hl54BsBNkqM1fWbtIPhW9bQp6H6L3h1PL++ZbJ66Vw+Ptg1gUFlbc hKrHG1IyWNXvT0OoC1isSEzOThdsk8NKjMq0T/bc6LFflbqsh2X3qQXp4/FuoifC ZfmH0KTYlyWUkYtL18VpcYfdLbDnR7pVyOXhf/RPOfiKHStZtmsQOQycDoRNMVYg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiiedgudegkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtudenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepudfhffevhedtgfejveelfeeukefhtddvffetgeeuiefgvedvkeefieejfffg ffelnecukfhppeeiledruddvtddrledvrddvtdeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 3F869108005F; Fri, 2 Apr 2021 16:36:08 -0400 (EDT) Date: Fri, 2 Apr 2021 16:36:06 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47563: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes]. Message-ID: References: <20210402193302.23602-1-lle-bout@zaclys.net> <71da0b112604e124d8227287345f519ca31850d6.camel@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="r0ilARVUsyxCo9u6" Content-Disposition: inline In-Reply-To: <71da0b112604e124d8227287345f519ca31850d6.camel@zaclys.net> Received-SPF: pass client-ip=64.147.123.21; envelope-from=leo@famulari.name; helo=wout5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: 47563@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --r0ilARVUsyxCo9u6 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 02, 2021 at 09:34:31PM +0200, L=E9o Le Bouter via Bug reports f= or GNU Guix wrote: > To me, that last patch is ready to merge. >=20 > Please push if you feel that's OK too, don't wait for me! Building now to test... --r0ilARVUsyxCo9u6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBngCwACgkQJkb6MLrK fwhv0hAAu4Lqux+wt6iVWQcIQj+v4ZwXbebbR7tAMja0QisAJmuPSWLDNQRs2p4S 4C7a0Vezgu5EIfL80AwQikvuTGzYyjePS83WIM7jEk4FE48p5Gi/YkV8/WPu+8Oc LByb/jIeUR3U1iNHscpICSMsOV5lbjILxP8GRpXc6IGdJONc6mXZmix9o2/Gg53V e50U7xZLcRiixaCXN3Of5/C0535BDQLJ50gm5Iyyi56MMOq1i8vVAYpUqydCF20L m2ClhX+jVOgb0d8BYlt3+iECOJfzqO7BgLPX8y6V6DrKzwls0hGRbL3DUso55U5q eLV4WynS1BDDlGJVqH9V2DXmHB/pfD+nOt/hxDehsWq1h5Ue/mdfuw/fHKbMNV0g JGIs3NH2r2tK4u25k5xc7ycyMA6pyt5OD1YmE6kjyU2HHrLKpcrM4HOM1dukWr5m 3fn6TMfCENk/yvZpr4dinCNCdvKWr3IVz0u55hR+XVW+iOrXdthagztciplcF9+q qVOS0wIc3P/JCD/Rh4n7um3VU8TtMY+jUIspRNkTeJ70yqBf63qwDY81PXFYVAwq H6IkrNE0YQF+fU6jr1yxAI3AXPC1p6o9Mo28U545DsdzYe0EIR++X+w5z3ZewAUp OJr37Eabx8axnZ8IAAgho91Wf6NumGX6h5X00cyLqqIEN/G7mRc= =0huP -----END PGP SIGNATURE----- --r0ilARVUsyxCo9u6-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 16:46:29 2021 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 20:46:29 +0000 Received: from localhost ([127.0.0.1]:32934 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSQgX-0003W7-3a for submit@debbugs.gnu.org; Fri, 02 Apr 2021 16:46:29 -0400 Received: from lists.gnu.org ([209.51.188.17]:39602) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSQgU-0003Vx-OW for submit@debbugs.gnu.org; Fri, 02 Apr 2021 16:46:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54550) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSQgU-0003yu-8q for bug-guix@gnu.org; Fri, 02 Apr 2021 16:46:26 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:42165) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSQgS-0006Pq-Lc for bug-guix@gnu.org; Fri, 02 Apr 2021 16:46:26 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id BE256163F; Fri, 2 Apr 2021 16:46:22 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Fri, 02 Apr 2021 16:46:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=5wCiTuOS3wqzgoATgU5Dsicw wo87Hu/uyzUwF6xgWpk=; b=k1csfSf7wwaIpybViLmc0dyQdMmM5teE77Wsfygt NeCmHIEdYgbkfy2Lcj51LZGaCzp3l+mElE6oHZvhhlNKCSD5ILa5lGLakUS3rtng +WSIzAfbqxM0kMkL5yWE/ckGUW4EgXMZeYs+ub5PsWZ/pmIhxuq1nx/8OS0H62Et OEM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=5wCiTu OS3wqzgoATgU5Dsicwwo87Hu/uyzUwF6xgWpk=; b=stGB7qwjczzp80FlalmKGd 1LnWS2g3fQg/2elJVEp2+aVNUZkgRnvxdvjTwCIJAUns6UlPl1+pTEvavBdnKkbF /yB6oPr10ZfYObNRUehhcHzabuzMPD4beRqHDqPpLNVmCS3eYQ/Gk36tvUJjSD5H Y3oU+72Y0qkz5LlJp71Ua7Ad9kPZEV/FN7ToSjAJzl/3uxwDcQLDXox/uCFHQ3NO EoYxEhxRIwtCKbFFAWYGc/5ProkKdcQDW1MuEBjHj9DLA3hFpccZcaTpmc53Txdx fQcyFCbefv6IFgqLM1M4zeP5C2+wg9IMunuIxfMY7mn+pZPHND0KdaI9lBmxsyhg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiiedgudehudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtjeenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepiefghfeffedtffekveektddtieekfeffledtgfevkeekteeufedtfefhgefh keefnecukfhppeeiledruddvtddrledvrddvtdeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 8F640240054; Fri, 2 Apr 2021 16:46:21 -0400 (EDT) Date: Fri, 2 Apr 2021 16:46:19 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47563: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes]. Message-ID: References: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> <20210402193302.23602-1-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="9QiveQdxIYZhuDdo" Content-Disposition: inline In-Reply-To: <20210402193302.23602-1-lle-bout@zaclys.net> Received-SPF: pass client-ip=64.147.123.21; envelope-from=leo@famulari.name; helo=wout5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: 47563-done@debbugs.gnu.org, =?iso-8859-1?B?TOlv?= Le Bouter X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --9QiveQdxIYZhuDdo Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 02, 2021 at 09:33:02PM +0200, L=C3=A9o Le Bouter via Bug report= s for GNU Guix wrote: > Fixes CVE-2021-22876 and CVE-2021-22890. >=20 > * gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/curl.scm (curl/fixed): New variable. Apply patch. > (curl)[replacement]: Graft. I tweaked the commit message =E2=80=94 committer's preference ;) =E2=80=94 = and pushed as f4dc8ac6dfa036d98aa0990ae22268a9650899d0. Thanks! --9QiveQdxIYZhuDdo Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBngpsACgkQJkb6MLrK fwi3lg//Ri3IqNBCTb3S4L1t8RUW/glmXCUiYhb1TdlYPg5Em5U8M9JiWUFi76ZS fBTVhgcx7pPZdi6OEMsn0GWcxVnXLz6sP1XGSROpWtU2up9JCVqVAk/VFa0g6Ftk mxjWJuuRwNk/iuxYi5NNoNGDW0/AWxHqUl6cJjLbQUCJ/d5vyjB9adQNClR+ce6q HjYA+eLCj4iC5dZE2nIRH+HrcKedWQXby5+S2eTcmp5fqeU9FCDxfr3lmAgwyJqC I+otdlDBloGkybl5eqQypYKRNIkvUfKMys+NDTecElj4YS0+9LDk1HZitKOxbyMo F62mo7Zhg/xRtCSM/p43AnQFSZGepyHhcyvzH7iNusxLwugeoynGVDkvviUot/ap hC9sNvQCZIXqXGE2dUNGt0ufopmUA20RhWyDKvFdQTFIjrHLHhnevOjQmK1QGZ7x gCp93/KH29SZ0pKzIrTfFPsmEfidKLD0piDDyBxowHXwoBOdGVaF2fVYvPv7tcJ9 YvxAY2pHfOaCWyeuR9f/vC09Pd92fKtxWwve9QqKUfF5QVBkXPEUNbQ6qGSselar hgjE3uI86zkhUffxpbJbbrrN8ybEAelvWu+HswdOE0UV+yjsiP217Z127FfZlzno FmfvBt+XA754fmeCZ6oCLCDr01y0jId34Iex/aE3RyRjfo6AP6Y= =OS1S -----END PGP SIGNATURE----- --9QiveQdxIYZhuDdo-- From unknown Wed Jun 18 23:11:28 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 01 May 2021 11:24:13 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator