GNU bug report logs -
#73361
[PATCH v2] gnu: curl: Fix security vulnerability.
Previous Next
Reported by: Ashish SHUKLA <ashish.is <at> lostca.se>
Date: Thu, 19 Sep 2024 15:19:02 UTC
Severity: normal
Tags: patch
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 73361 in the body.
You can then email your comments to 73361 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#73361; Package
guix-patches.
(Thu, 19 Sep 2024 15:19:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ashish SHUKLA <ashish.is <at> lostca.se>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 19 Sep 2024 15:19:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/curl.scm (curl): Update to 8.10.1.
* gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.
Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8
---
gnu/packages/curl.scm | 5 ++-
.../patches/curl-use-ssl-cert-env.patch | 41 +++++++++----------
2 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..7ab886f195 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 Felix Gruber <felgru <at> posteo.net>
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus <at> gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias <at> protonmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -66,14 +67,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
+ (version "8.10.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
index c39c1f7e98..2a57f0f8be 100644
--- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
+++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
@@ -37,28 +37,27 @@ for other future workarounds.
#ifdef _WIN32
Curl_win32_cleanup(easy_init_flags);
#endif
-diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
-+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
-@@ -524,6 +524,21 @@
- if(result)
- return result;
+--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000
++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000
+@@ -455,6 +455,21 @@
+ #endif
#endif
-+ extern char * Curl_ssl_cert_dir;
-+ extern char * Curl_ssl_cert_file;
-+ if(Curl_ssl_cert_dir) {
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
-+ return result;
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
-+ return result;
-+ }
-+
-+ if(Curl_ssl_cert_file) {
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
-+ return result;
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
-+ return result;
-+ }
}
++ extern char * Curl_ssl_cert_dir;
++ extern char * Curl_ssl_cert_file;
++ if(Curl_ssl_cert_dir) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++ return result;
++ }
++
++ if(Curl_ssl_cert_file) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++ return result;
++ }
+ #ifndef CURL_DISABLE_FTP
set->wildcard_enabled = FALSE;
base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9
--
2.46.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#73361; Package
guix-patches.
(Fri, 27 Sep 2024 18:54:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 73361 <at> debbugs.gnu.org (full text, mbox):
Hello,
On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
> * gnu/packages/curl.scm (curl): Update to 8.10.1.
>
As curl causes a rebuild of just about everything, this will need to
done as a graft on master. (And ungrafted with a world rebuild on a
branch.) Would you like to take a stab at that?
Also, please note what the security fixes are (CVE numbers).
Thanks for the patch so far!
John
> * gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.
>
> Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8
> ---
> gnu/packages/curl.scm | 5 ++-
> .../patches/curl-use-ssl-cert-env.patch | 41 +++++++++----------
> 2 files changed, 23 insertions(+), 23 deletions(-)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..7ab886f195 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
> ;;; Copyright © 2021 Felix Gruber <felgru <at> posteo.net>
> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus <at> gmail.com>
> ;;; Copyright © 2023 John Kehayias <john.kehayias <at> protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -66,14 +67,14 @@ (define-module (gnu packages curl)
> (define-public curl
> (package
> (name "curl")
> - (version "8.6.0")
> + (version "8.10.1")
> (source (origin
> (method url-fetch)
> (uri (string-append "https://curl.se/download/curl-"
> version ".tar.xz"))
> (sha256
> (base32
> - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
> + "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
> (patches (search-patches "curl-use-ssl-cert-env.patch"))))
> (outputs '("out"
> "doc")) ;1.2 MiB of man3 pages
> diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
> index c39c1f7e98..2a57f0f8be 100644
> --- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
> +++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
> @@ -37,28 +37,27 @@ for other future workarounds.
> #ifdef _WIN32
> Curl_win32_cleanup(easy_init_flags);
> #endif
> -diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
> ---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
> -+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
> -@@ -524,6 +524,21 @@
> - if(result)
> - return result;
> +--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000
> ++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000
> +@@ -455,6 +455,21 @@
> + #endif
> #endif
> -+ extern char * Curl_ssl_cert_dir;
> -+ extern char * Curl_ssl_cert_file;
> -+ if(Curl_ssl_cert_dir) {
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
> -+ return result;
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
> -+ return result;
> -+ }
> -+
> -+ if(Curl_ssl_cert_file) {
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
> -+ return result;
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
> -+ return result;
> -+ }
> }
> ++ extern char * Curl_ssl_cert_dir;
> ++ extern char * Curl_ssl_cert_file;
> ++ if(Curl_ssl_cert_dir) {
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
> ++ return result;
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
> ++ return result;
> ++ }
> ++
> ++ if(Curl_ssl_cert_file) {
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
> ++ return result;
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
> ++ return result;
> ++ }
>
> + #ifndef CURL_DISABLE_FTP
> set->wildcard_enabled = FALSE;
>
> base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9
Information forwarded
to
guix-patches <at> gnu.org:
bug#73361; Package
guix-patches.
(Sat, 28 Sep 2024 01:26:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 73361 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
> Hello,
>
> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>
> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
> >
>
> As curl causes a rebuild of just about everything, this will need to
> done as a graft on master. (And ungrafted with a world rebuild on a
> branch.) Would you like to take a stab at that?
Prepared a new revision (attached) to add a new package 'curl/fixed'
with just the fix from upstream applied[0][1].
As for the actual update to 8.10.1, I can send a patch (either in this
thread, or in separate issue report).
Please let me know if something is amiss with my patch.
References:
[0] https://curl.se/docs/CVE-2024-8096.html
[1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba
Thanks!
--
Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
"If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
[v2-0001-gnu-curl-Fix-security-vulnerability.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Changed bug title to '[PATCH v2] gnu: curl: Fix security vulnerability.' from '[PATCH] gnu: curl: Update to 8.10.1 [security fixes].'
Request was from
"Ashish SHUKLA" <ashish.is <at> lostca.se>
to
control <at> debbugs.gnu.org.
(Sat, 28 Sep 2024 01:29:01 GMT)
Full text and
rfc822 format available.
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Tue, 12 Nov 2024 12:09:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ashish SHUKLA <ashish.is <at> lostca.se>:
bug acknowledged by developer.
(Tue, 12 Nov 2024 12:09:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 73361-done <at> debbugs.gnu.org (full text, mbox):
Hi,
"Ashish SHUKLA" <ashish.is <at> lostca.se> writes:
> On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
>> Hello,
>>
>> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>>
>> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
>> >
>>
>> As curl causes a rebuild of just about everything, this will need to
>> done as a graft on master. (And ungrafted with a world rebuild on a
>> branch.) Would you like to take a stab at that?
>
> Prepared a new revision (attached) to add a new package 'curl/fixed'
> with just the fix from upstream applied[0][1].
>
> As for the actual update to 8.10.1, I can send a patch (either in this
> thread, or in separate issue report).
>
> Please let me know if something is amiss with my patch.
>
> References:
> [0] https://curl.se/docs/CVE-2024-8096.html
> [1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba
>
> Thanks!
> --
> Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
>
> "If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
>
> From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001
> Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is <at> lostca.se>
> From: Ashish SHUKLA <ashish.is <at> lostca.se>
> Date: Sat, 28 Sep 2024 01:40:45 +0200
> Subject: [PATCH v2] gnu: curl: Fix security vulnerability.
>
> Fixes CVE-2024-8096.
>
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl/fixed): New variable.
> * gnu/packages/patches/curl-CVE-2024-8096.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
>
> Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738
> ---
> gnu/local.mk | 1 +
> gnu/packages/curl.scm | 11 +
> gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++
> 3 files changed, 212 insertions(+)
> create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 9fdad12b63..a2215ad4c2 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1114,6 +1114,7 @@ dist_patch_DATA = \
> %D%/packages/patches/crda-optional-gcrypt.patch \
> %D%/packages/patches/clucene-contribs-lib.patch \
> %D%/packages/patches/cube-nocheck.patch \
> + %D%/packages/patches/curl-CVE-2024-8096.patch \
> %D%/packages/patches/curl-use-ssl-cert-env.patch \
> %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
> %D%/packages/patches/curlftpfs-fix-file-names.patch \
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..bbb266e236 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
> ;;; Copyright © 2021 Felix Gruber <felgru <at> posteo.net>
> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus <at> gmail.com>
> ;;; Copyright © 2023 John Kehayias <john.kehayias <at> protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -67,6 +68,7 @@ (define-public curl
> (package
> (name "curl")
> (version "8.6.0")
> + (replacement curl/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "https://curl.se/download/curl-"
> @@ -176,6 +178,15 @@ (define-public curl
> "See COPYING in the distribution."))
> (home-page "https://curl.haxx.se/")))
>
> +(define-public curl/fixed
> + (hidden-package
> + (package
> + (inherit curl)
> + (replacement curl/fixed)
> + (source (origin
> + (inherit (package-source curl))
> + (patches (search-patches "curl-CVE-2024-8096.patch")))))))
> +
I've applied it already, but noticed after that this doesn't add the
curl patch 'curl-use-ssl-cert-env.patch'; which I've now fixed in commit
b10ce47d8b.
Closing!
--
Thanks,
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 10 Dec 2024 12:24:11 GMT)
Full text and
rfc822 format available.
This bug report was last modified 249 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.