[PATCH] gnu: curl: Replace with 7.55.0 [security fixes].

  • Done
  • quality assurance status badge
Details
One participant
  • Marius Bakke
Owner
unassigned
Submitted by
Marius Bakke
Severity
normal
M
M
Marius Bakke wrote on 9 Aug 2017 21:07
(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)
20170809190703.7469-1-mbakke@fastmail.com
Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101.

* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.55.0): New variable.
---
gnu/packages/curl.scm | 14 ++++++++++++++
1 file changed, 14 insertions(+)

Toggle diff (38 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index af15aa38c..bfe53dd43 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Tomáš ?ech <sleep_walker@suse.cz>
;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -40,6 +41,7 @@
(define-public curl
(package
(name "curl")
+ (replacement curl-7.55.0)
(version "7.54.1")
(source (origin
(method url-fetch)
@@ -119,3 +121,15 @@ tunneling, and so on.")
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
+
+(define-public curl-7.55.0
+ (package
+ (inherit curl)
+ (version "7.55.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))))
--
2.14.0
M
M
Marius Bakke wrote on 9 Aug 2017 22:22
Re: [bug#28027] curl security update [was Re: bug#28027: gnURL 7.55.0]
87inhw4hkd.fsf@fastmail.com
ng0 <ng0@infotropique.org> writes:

Toggle quote (26 lines)
> Leo Famulari transcribed 3.7K bytes:
>> On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
>> > On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
>> > > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
>> > > > ng0 wrote on 09/08/17 at 18:00:
>> > > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
>> > > > > From: ng0 <ng0@infotropique.org>
>> > > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
>> > > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
>> > > > >
>> > > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
>> > > >
>> > > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
>> > >
>> > > Great! Can somebody also update the curl replacement?
>> >
>> > Actually, I'll do it :)
>>
>> With the attached patch, it fails to build, because the man 3 pages
>> aren't built and thus can't be copied into the doc output. I'm not sure
>> what's going on :/
>
> As written on IRC: Take a look at the 2 commits after tagged 7.55.0,
> if you apply both you will have a successful build. I did this manually
> (by hand, not taking the commits) for gnURL release.

Here is a patch that fixes the doc installation:
From f93502a48b368c74ba4ed1ff573f07f59b8c91f1 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 9 Aug 2017 21:04:04 +0200
Subject: [PATCH] gnu: curl: Replace with 7.55.0 [security fixes].

Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101.

* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.55.0): New variable.
---
gnu/packages/curl.scm | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)

Toggle diff (58 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index af15aa38c..0c551e108 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Tomáš ?ech <sleep_walker@suse.cz>
;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +25,7 @@
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module (gnu packages)
#:use-module (gnu packages compression)
@@ -40,6 +42,7 @@
(define-public curl
(package
(name "curl")
+ (replacement curl-7.55.0)
(version "7.54.1")
(source (origin
(method url-fetch)
@@ -119,3 +122,27 @@ tunneling, and so on.")
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
+
+(define-public curl-7.55.0
+ (package
+ (inherit curl)
+ (version "7.55.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))
+ (arguments
+ `(,@(substitute-keyword-arguments (package-arguments curl)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-before 'install 'fix-Makefile
+ ;; Fix a regression in 7.55 where docs are not installed.
+ ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
+ (lambda _
+ (substitute* "Makefile"
+ (("install-data-hook:\n")
+ "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
+ #t)))))))))
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmLbxIACgkQoqBt8qM6
VPoKMQf/cg9vgZks+cIKWlNG6VnwJAibcfcp22YOk61WT+E5570YRUoIY/9HDXES
x0LWdI+ibPVYlnLuOZ9sL3cT9w5t18IkPL/mgvBn1KUjyi87VBZZyeCnkKilFAk3
BL7/MnzcnplY5qC9yBgqbYcoI9CCUj4v12Xy20L7jAHsA8A6OeQeud9cpZ+/J9sJ
vEIJ8cWWXtBaaHjqgtwsZUwa7vov5ndjhTYhMQ2+4Xnt3qWg6CTeWwb8QXFMf6a2
2z4gpjCSSpaQkOXzNYQHnjVKdC2GRgNhXXho46aE0SRGjwttCys1RlkyLP7mQwlm
8IjRvSzTDSWiWAsPhrSYVkTQZc+dZw==
=5Y/L
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 28031@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 28031
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch