GNU bug report logs -
#73361
[PATCH v2] gnu: curl: Fix security vulnerability.
Previous Next
Reported by: Ashish SHUKLA <ashish.is <at> lostca.se>
Date: Thu, 19 Sep 2024 15:19:02 UTC
Severity: normal
Tags: patch
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Tue, 12 Nov 2024 21:07:17 +0900
with message-id <875xos4pvu.fsf_-_ <at> gmail.com>
and subject line Re: bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability.
has caused the debbugs.gnu.org bug report #73361,
regarding [PATCH v2] gnu: curl: Fix security vulnerability.
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
73361: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73361
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
* gnu/packages/curl.scm (curl): Update to 8.10.1.
* gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.
Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8
---
gnu/packages/curl.scm | 5 ++-
.../patches/curl-use-ssl-cert-env.patch | 41 +++++++++----------
2 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..7ab886f195 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 Felix Gruber <felgru <at> posteo.net>
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus <at> gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias <at> protonmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -66,14 +67,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
+ (version "8.10.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
index c39c1f7e98..2a57f0f8be 100644
--- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
+++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
@@ -37,28 +37,27 @@ for other future workarounds.
#ifdef _WIN32
Curl_win32_cleanup(easy_init_flags);
#endif
-diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
-+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
-@@ -524,6 +524,21 @@
- if(result)
- return result;
+--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000
++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000
+@@ -455,6 +455,21 @@
+ #endif
#endif
-+ extern char * Curl_ssl_cert_dir;
-+ extern char * Curl_ssl_cert_file;
-+ if(Curl_ssl_cert_dir) {
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
-+ return result;
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
-+ return result;
-+ }
-+
-+ if(Curl_ssl_cert_file) {
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
-+ return result;
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
-+ return result;
-+ }
}
++ extern char * Curl_ssl_cert_dir;
++ extern char * Curl_ssl_cert_file;
++ if(Curl_ssl_cert_dir) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++ return result;
++ }
++
++ if(Curl_ssl_cert_file) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++ return result;
++ }
+ #ifndef CURL_DISABLE_FTP
set->wildcard_enabled = FALSE;
base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9
--
2.46.1
[Message part 3 (message/rfc822, inline)]
Hi,
"Ashish SHUKLA" <ashish.is <at> lostca.se> writes:
> On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
>> Hello,
>>
>> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>>
>> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
>> >
>>
>> As curl causes a rebuild of just about everything, this will need to
>> done as a graft on master. (And ungrafted with a world rebuild on a
>> branch.) Would you like to take a stab at that?
>
> Prepared a new revision (attached) to add a new package 'curl/fixed'
> with just the fix from upstream applied[0][1].
>
> As for the actual update to 8.10.1, I can send a patch (either in this
> thread, or in separate issue report).
>
> Please let me know if something is amiss with my patch.
>
> References:
> [0] https://curl.se/docs/CVE-2024-8096.html
> [1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba
>
> Thanks!
> --
> Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
>
> "If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
>
> From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001
> Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is <at> lostca.se>
> From: Ashish SHUKLA <ashish.is <at> lostca.se>
> Date: Sat, 28 Sep 2024 01:40:45 +0200
> Subject: [PATCH v2] gnu: curl: Fix security vulnerability.
>
> Fixes CVE-2024-8096.
>
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl/fixed): New variable.
> * gnu/packages/patches/curl-CVE-2024-8096.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
>
> Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738
> ---
> gnu/local.mk | 1 +
> gnu/packages/curl.scm | 11 +
> gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++
> 3 files changed, 212 insertions(+)
> create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 9fdad12b63..a2215ad4c2 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1114,6 +1114,7 @@ dist_patch_DATA = \
> %D%/packages/patches/crda-optional-gcrypt.patch \
> %D%/packages/patches/clucene-contribs-lib.patch \
> %D%/packages/patches/cube-nocheck.patch \
> + %D%/packages/patches/curl-CVE-2024-8096.patch \
> %D%/packages/patches/curl-use-ssl-cert-env.patch \
> %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
> %D%/packages/patches/curlftpfs-fix-file-names.patch \
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..bbb266e236 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
> ;;; Copyright © 2021 Felix Gruber <felgru <at> posteo.net>
> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus <at> gmail.com>
> ;;; Copyright © 2023 John Kehayias <john.kehayias <at> protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -67,6 +68,7 @@ (define-public curl
> (package
> (name "curl")
> (version "8.6.0")
> + (replacement curl/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "https://curl.se/download/curl-"
> @@ -176,6 +178,15 @@ (define-public curl
> "See COPYING in the distribution."))
> (home-page "https://curl.haxx.se/")))
>
> +(define-public curl/fixed
> + (hidden-package
> + (package
> + (inherit curl)
> + (replacement curl/fixed)
> + (source (origin
> + (inherit (package-source curl))
> + (patches (search-patches "curl-CVE-2024-8096.patch")))))))
> +
I've applied it already, but noticed after that this doesn't add the
curl patch 'curl-use-ssl-cert-env.patch'; which I've now fixed in commit
b10ce47d8b.
Closing!
--
Thanks,
Maxim
This bug report was last modified 250 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.