GNU bug report logs - #73361
[PATCH v2] gnu: curl: Fix security vulnerability.

Previous Next

Package: guix-patches;

Reported by: Ashish SHUKLA <ashish.is <at> lostca.se>

Date: Thu, 19 Sep 2024 15:19:02 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #18 received at 73361-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: "Ashish SHUKLA" <ashish.is <at> lostca.se>
Cc: John Kehayias <john.kehayias <at> protonmail.com>, 73361-done <at> debbugs.gnu.org
Subject: Re: bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability.
Date: Tue, 12 Nov 2024 21:07:17 +0900

Hi,

"Ashish SHUKLA" <ashish.is <at> lostca.se> writes:

> On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
>> Hello,
>>
>> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>>
>> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
>> >
>>
>> As curl causes a rebuild of just about everything, this will need to
>> done as a graft on master. (And ungrafted with a world rebuild on a
>> branch.) Would you like to take a stab at that?
>
> Prepared a new revision (attached) to add a new package 'curl/fixed' 
> with just the fix from upstream applied[0][1].
>
> As for the actual update to 8.10.1, I can send a patch (either in this 
> thread, or in separate issue report).
>
> Please let me know if something is amiss with my patch.
>
> References:
> [0] https://curl.se/docs/CVE-2024-8096.html
> [1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba
>
> Thanks!
> --
> Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116  20B6 C746 CFA9 E74F A4B0
>
> "If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
>
> From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001
> Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is <at> lostca.se>
> From: Ashish SHUKLA <ashish.is <at> lostca.se>
> Date: Sat, 28 Sep 2024 01:40:45 +0200
> Subject: [PATCH v2] gnu: curl: Fix security vulnerability.
>
> Fixes CVE-2024-8096.
>
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl/fixed): New variable.
> * gnu/packages/patches/curl-CVE-2024-8096.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
>
> Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738
> ---
>  gnu/local.mk                                  |   1 +
>  gnu/packages/curl.scm                         |  11 +
>  gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++
>  3 files changed, 212 insertions(+)
>  create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 9fdad12b63..a2215ad4c2 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1114,6 +1114,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/crda-optional-gcrypt.patch		\
>    %D%/packages/patches/clucene-contribs-lib.patch               \
>    %D%/packages/patches/cube-nocheck.patch			\
> +  %D%/packages/patches/curl-CVE-2024-8096.patch			\
>    %D%/packages/patches/curl-use-ssl-cert-env.patch		\
>    %D%/packages/patches/curlftpfs-fix-error-closing-file.patch	\
>    %D%/packages/patches/curlftpfs-fix-file-names.patch		\
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..bbb266e236 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
>  ;;; Copyright © 2021 Felix Gruber <felgru <at> posteo.net>
>  ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus <at> gmail.com>
>  ;;; Copyright © 2023 John Kehayias <john.kehayias <at> protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -67,6 +68,7 @@ (define-public curl
>    (package
>      (name "curl")
>      (version "8.6.0")
> +    (replacement curl/fixed)
>      (source (origin
>                (method url-fetch)
>                (uri (string-append "https://curl.se/download/curl-"
> @@ -176,6 +178,15 @@ (define-public curl
>                                     "See COPYING in the distribution."))
>      (home-page "https://curl.haxx.se/")))
>  
> +(define-public curl/fixed
> +  (hidden-package
> +   (package
> +     (inherit curl)
> +     (replacement curl/fixed)
> +     (source (origin
> +               (inherit (package-source curl))
> +               (patches (search-patches "curl-CVE-2024-8096.patch")))))))
> +

I've applied it already, but noticed after that this doesn't add the
curl patch 'curl-use-ssl-cert-env.patch'; which I've now fixed in commit
b10ce47d8b.

Closing!

-- 
Thanks,
Maxim
This bug report was last modified 250 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.