[PATCH] gnu: curl: Update replacement to 7.56.0. [security fixes]

Done

Details

2 participants

Kei Kebreau
Marius Bakke

Owner: unassigned

Submitted by: Kei Kebreau

Severity: normal

Kei Kebreau wrote on 4 Oct 2017 17:01

Recipients:(address . guix-patches@gnu.org)(name . Kei Kebreau)(address . kkebreau@posteo.net)

Message-ID:20171004150145.13595-1-kkebreau@posteo.net

Fixes CVE-2017-1000254.
See https://curl.haxx.se/docs/adv_20171004.html for details.

* gnu/packages/curl.scm (curl)[replacement]: Update to 7.56.0.
(curl-7.55.0): Rename to ...
(curl-7.56.0): ... this.
[arguments]: Remove 'fix-Makefile' phase.
---
 gnu/packages/curl.scm | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

Toggle diff (34 lines)diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 23606b481..552df5dc3 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -126,25 +126,12 @@ tunneling, and so on.")
 (define-public curl-7.55.0
   (package
     (inherit curl)
-    (version "7.55.0")
+    (version "7.56.0")
     (source
       (origin
         (method url-fetch)
         (uri (string-append "https://curl.haxx.se/download/curl-"
                             version ".tar.xz"))
-        (patches (search-patches "curl-bounds-check.patch"))
         (sha256
          (base32
-          "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))
-    (arguments
-     `(,@(substitute-keyword-arguments (package-arguments curl)
-           ((#:phases phases)
-            `(modify-phases ,phases
-               (add-before 'install 'fix-Makefile
-                 ;; Fix a regression in 7.55.0 where docs are not installed.
-                 ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
-                 (lambda _
-                   (substitute* "Makefile"
-                     (("install-data-hook:\n")
-                      "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
-                   #t)))))))))
+          "0wni3zkw7jyrwgwkqnrkf2x2b7c78wsp7p4z6a246hz9l367nhrj"))))))
-- 
2.14.2

Kei Kebreau wrote on 4 Oct 2017 17:24

Recipients:(name . Kei Kebreau)(address . kkebreau@posteo.net)

Message-ID:20171004152427.14012-1-kkebreau@posteo.net

Fixes CVE-2017-1000254.
See https://curl.haxx.se/docs/adv_20171004.html for details.

* gnu/packages/curl.scm (curl)[replacement]: Update to 7.56.0.
(curl-7.55.0): Rename to ...
(curl-7.56.0): ... this.
[arguments]: Remove 'fix-Makefile' phase.
---
 gnu/packages/curl.scm | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

Toggle diff (47 lines)diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 23606b481..ef1b6c74b 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -42,7 +42,7 @@
 (define-public curl
   (package
    (name "curl")
-   (replacement curl-7.55.0)
+   (replacement curl-7.56.0)
    (version "7.54.1")
    (source (origin
             (method url-fetch)
@@ -123,28 +123,15 @@ tunneling, and so on.")
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
 
-(define-public curl-7.55.0
+(define-public curl-7.56.0
   (package
     (inherit curl)
-    (version "7.55.0")
+    (version "7.56.0")
     (source
       (origin
         (method url-fetch)
         (uri (string-append "https://curl.haxx.se/download/curl-"
                             version ".tar.xz"))
-        (patches (search-patches "curl-bounds-check.patch"))
         (sha256
          (base32
-          "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))
-    (arguments
-     `(,@(substitute-keyword-arguments (package-arguments curl)
-           ((#:phases phases)
-            `(modify-phases ,phases
-               (add-before 'install 'fix-Makefile
-                 ;; Fix a regression in 7.55.0 where docs are not installed.
-                 ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
-                 (lambda _
-                   (substitute* "Makefile"
-                     (("install-data-hook:\n")
-                      "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
-                   #t)))))))))
+          "0wni3zkw7jyrwgwkqnrkf2x2b7c78wsp7p4z6a246hz9l367nhrj"))))))
-- 
2.14.2

Marius Bakke wrote on 4 Oct 2017 23:33

Re: [bug#28702] [PATCH] gnu: curl: Update replacement to 7.56.0. [security fixes]

Recipients:(name . Kei Kebreau)(address . kkebreau@posteo.net)

Message-ID:87sheyd2e4.fsf@fastmail.com

Kei Kebreau <kkebreau@posteo.net> writes:

Toggle quote (28 lines)> Fixes CVE-2017-1000254.
> See <https://curl.haxx.se/docs/adv_20171004.html> for details.
>
> * gnu/packages/curl.scm (curl)[replacement]: Update to 7.56.0.
> (curl-7.55.0): Rename to ...
> (curl-7.56.0): ... this.
> [arguments]: Remove 'fix-Makefile' phase.
> ---
>  gnu/packages/curl.scm | 17 ++---------------
>  1 file changed, 2 insertions(+), 15 deletions(-)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 23606b481..552df5dc3 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -126,25 +126,12 @@ tunneling, and so on.")
>  (define-public curl-7.55.0
>    (package
>      (inherit curl)
> -    (version "7.55.0")
> +    (version "7.56.0")
>      (source
>        (origin
>          (method url-fetch)
>          (uri (string-append "https://curl.haxx.se/download/curl-"
>                              version ".tar.xz"))
> -        (patches (search-patches "curl-bounds-check.patch"))

Please also delete this file and update gnu/local.mk.

LGTM otherwise, thanks!

Kei Kebreau wrote on 5 Oct 2017 01:38

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 28702-done@debbugs.gnu.org)

Message-ID:87vajuxz45.fsf@posteo.net

Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (34 lines)> Kei Kebreau <kkebreau@posteo.net> writes:
>
>> Fixes CVE-2017-1000254.
>> See <https://curl.haxx.se/docs/adv_20171004.html> for details.
>>
>> * gnu/packages/curl.scm (curl)[replacement]: Update to 7.56.0.
>> (curl-7.55.0): Rename to ...
>> (curl-7.56.0): ... this.
>> [arguments]: Remove 'fix-Makefile' phase.
>> ---
>>  gnu/packages/curl.scm | 17 ++---------------
>>  1 file changed, 2 insertions(+), 15 deletions(-)
>>
>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>> index 23606b481..552df5dc3 100644
>> --- a/gnu/packages/curl.scm
>> +++ b/gnu/packages/curl.scm
>> @@ -126,25 +126,12 @@ tunneling, and so on.")
>>  (define-public curl-7.55.0
>>    (package
>>      (inherit curl)
>> -    (version "7.55.0")
>> +    (version "7.56.0")
>>      (source
>>        (origin
>>          (method url-fetch)
>>          (uri (string-append "https://curl.haxx.se/download/curl-"
>>                              version ".tar.xz"))
>> -        (patches (search-patches "curl-bounds-check.patch"))
>
> Please also delete this file and update gnu/local.mk.
>
> LGTM otherwise, thanks!

Thanks for reviewing this.

Pushed to master as 46cf31868c1b12eec50bc9b8dda64604dd81f986.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 28702@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 28702

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date