[PATCH v2] gnu: curl: Fix security vulnerability.

  • Done
  • quality assurance status badge
Details
3 participants
  • Ashish SHUKLA
  • John Kehayias
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Ashish SHUKLA
Severity
normal
A
A
Ashish SHUKLA wrote on 19 Sep 17:17 +0200
[PATCH] gnu: curl: Update to 8.10.1 [security fixes].
(address . guix-patches@gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
5cadbf4fe10768fae553fd71f8b0edeb384c7fb0.1726759049.git.ashish.is@lostca.se
* gnu/packages/curl.scm (curl): Update to 8.10.1.

* gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.

Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8
---
gnu/packages/curl.scm | 5 ++-
.../patches/curl-use-ssl-cert-env.patch | 41 +++++++++----------
2 files changed, 23 insertions(+), 23 deletions(-)

Toggle diff (86 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..7ab886f195 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -66,14 +67,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
+ (version "8.10.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
index c39c1f7e98..2a57f0f8be 100644
--- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
+++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
@@ -37,28 +37,27 @@ for other future workarounds.
#ifdef _WIN32
Curl_win32_cleanup(easy_init_flags);
#endif
-diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
-+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
-@@ -524,6 +524,21 @@
- if(result)
- return result;
+--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000
++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000
+@@ -455,6 +455,21 @@
+ #endif
#endif
-+ extern char * Curl_ssl_cert_dir;
-+ extern char * Curl_ssl_cert_file;
-+ if(Curl_ssl_cert_dir) {
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
-+ return result;
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
-+ return result;
-+ }
-+
-+ if(Curl_ssl_cert_file) {
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
-+ return result;
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
-+ return result;
-+ }
}
++ extern char * Curl_ssl_cert_dir;
++ extern char * Curl_ssl_cert_file;
++ if(Curl_ssl_cert_dir) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++ return result;
++ }
++
++ if(Curl_ssl_cert_file) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++ return result;
++ }
+ #ifndef CURL_DISABLE_FTP
set->wildcard_enabled = FALSE;

base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9
--
2.46.1
J
J
John Kehayias wrote on 27 Sep 20:52 +0200
(name . Ashish SHUKLA)(address . ashish.is@lostca.se)(address . 73361@debbugs.gnu.org)
87tte13p5q.fsf@protonmail.com
Hello,

On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:

Toggle quote (3 lines)
> * gnu/packages/curl.scm (curl): Update to 8.10.1.
>

As curl causes a rebuild of just about everything, this will need to
done as a graft on master. (And ungrafted with a world rebuild on a
branch.) Would you like to take a stab at that?

Also, please note what the security fixes are (CVE numbers).

Thanks for the patch so far!
John

Toggle quote (92 lines)
> * gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.
>
> Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8
> ---
> gnu/packages/curl.scm | 5 ++-
> .../patches/curl-use-ssl-cert-env.patch | 41 +++++++++----------
> 2 files changed, 23 insertions(+), 23 deletions(-)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..7ab886f195 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
> ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
> ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -66,14 +67,14 @@ (define-module (gnu packages curl)
> (define-public curl
> (package
> (name "curl")
> - (version "8.6.0")
> + (version "8.10.1")
> (source (origin
> (method url-fetch)
> (uri (string-append "https://curl.se/download/curl-"
> version ".tar.xz"))
> (sha256
> (base32
> - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
> + "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
> (patches (search-patches "curl-use-ssl-cert-env.patch"))))
> (outputs '("out"
> "doc")) ;1.2 MiB of man3 pages
> diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
> index c39c1f7e98..2a57f0f8be 100644
> --- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
> +++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
> @@ -37,28 +37,27 @@ for other future workarounds.
> #ifdef _WIN32
> Curl_win32_cleanup(easy_init_flags);
> #endif
> -diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
> ---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
> -+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
> -@@ -524,6 +524,21 @@
> - if(result)
> - return result;
> +--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000
> ++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000
> +@@ -455,6 +455,21 @@
> + #endif
> #endif
> -+ extern char * Curl_ssl_cert_dir;
> -+ extern char * Curl_ssl_cert_file;
> -+ if(Curl_ssl_cert_dir) {
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
> -+ return result;
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
> -+ return result;
> -+ }
> -+
> -+ if(Curl_ssl_cert_file) {
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
> -+ return result;
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
> -+ return result;
> -+ }
> }
> ++ extern char * Curl_ssl_cert_dir;
> ++ extern char * Curl_ssl_cert_file;
> ++ if(Curl_ssl_cert_dir) {
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
> ++ return result;
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
> ++ return result;
> ++ }
> ++
> ++ if(Curl_ssl_cert_file) {
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
> ++ return result;
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
> ++ return result;
> ++ }
>
> + #ifndef CURL_DISABLE_FTP
> set->wildcard_enabled = FALSE;
>
> base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9
A
A
Ashish SHUKLA wrote on 28 Sep 03:24 +0200
(name . John Kehayias)(address . john.kehayias@protonmail.com)(address . 73361@debbugs.gnu.org)
D4HIWPATGQQC.3757G1T13L90I@lostca.se
On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
Toggle quote (11 lines)
> Hello,
>
> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>
> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
> >
>
> As curl causes a rebuild of just about everything, this will need to
> done as a graft on master. (And ungrafted with a world rebuild on a
> branch.) Would you like to take a stab at that?

Prepared a new revision (attached) to add a new package 'curl/fixed'
with just the fix from upstream applied[0][1].

As for the actual update to 8.10.1, I can send a patch (either in this
thread, or in separate issue report).

Please let me know if something is amiss with my patch.

References:

Thanks!
--
Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0

"If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
-----BEGIN PGP SIGNATURE-----

iQKoBAABCgCSFiEE9oLNzDncD+rhFiC2x0bPqedPpLAFAmb3WrdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEY2
ODJDRENDMzlEQzBGRUFFMTE2MjBCNkM3NDZDRkE5RTc0RkE0QjAUHGFzaGlzaC5p
c0Bsb3N0Y2Euc2UACgkQx0bPqedPpLDtjxAAt8cDBdwuLD7O5eytqis/rOhlO904
gdLYUyDf54qjN8+QmeZaR2Wj6YE36waHLHq59/hfs6kt0FsptOTzFSZd2LEGShkt
BPtM4392q0bnPuuABwFawQsMRYM9UNbWvGCcm9H5BVQ9YmXT/X/ZQq4dZjkm65Rd
s/AXiUxElt1lbH1aIh21ywK7djsSPTSDqvqFHYviN66yGRdkAvzpsdwp5XOaCtAU
gcIUVqVdOTimGxd/pGsq48i7yPwO/M0754y1cTVbHKIj9GNPYQzTPTkbkhQemcas
5zcexfOosHsJGvypAxZYuJt2f8yCSAzTfa5VgipeZamv6fJBp4uIyMryK30YUP43
vnKhrukvXkfWj285WqbU4zh3N3dg5m4krfhFbs5kZ1KJBlnLUSZaxa/0viRvimuv
jh52eFYgDqbSA/Dd8NFx50vOs/L1tc/Qd/mST+KjwUCq/d9ElzL5Y3yHUsn3gYie
ZuUroSx9GhmXfUbc8lVPStuOPeFYCCwFLMxod5IyzgP/rOQS5BfAPrF4FetrW8Ch
o7i9UOjP6oncF0QGwU3tZUEsSwAPHRoKR0DXsYjL+5UMSazczs6QxptTaromluui
ugR88ICAEJmpUDNSXdqUjaQcaU1FcUD2d1DBINxZBwmwpBGPYRQn82xAqpQeF8Dt
w5NzZeP5RcHR6b8=
=yHtE
-----END PGP SIGNATURE-----


A
A
Ashish SHUKLA wrote on 28 Sep 03:28 +0200
retitle bug report
(address . control@debbugs.gnu.org)
D4HIZU3RX9G1.13Y9E0T7UHCQD@lostca.se
retitle 73361 [PATCH v2] gnu: curl: Fix security vulnerability.
quit
-----BEGIN PGP SIGNATURE-----

iQKoBAABCgCSFiEE9oLNzDncD+rhFiC2x0bPqedPpLAFAmb3W6xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEY2
ODJDRENDMzlEQzBGRUFFMTE2MjBCNkM3NDZDRkE5RTc0RkE0QjAUHGFzaGlzaC5p
c0Bsb3N0Y2Euc2UACgkQx0bPqedPpLDXqA/+MXjggeiIve4V6cNVsSnVhyLWlkA7
ohd9GdnafFjRuBTn4o/f1zjxSLtCPWGALpLixLiOvpVC3THMzSCHQIJO1SvMHcge
yj54relI4/xVA6vgifIsya7g6uIiJyWkjg0iYB+yA5UfRBy9Dwk0b9i0smZcYtzK
dAOqdDTtL80zCvOvdVNl9su6sUTyUTktjbI/85LOe1O0sPP4oiJdlND0b1k9VOSV
XYZyPeAN9PKEC3Z/Fn4ED1/e0nf4bGrxQ6p6CWer747ivYJ1p1j6goO+cVX7AQhc
ZLthB1F0/rRc0eDw+eQFoxcqzsgySFfBanKPqT6gHsXdeuz17c7AP3psh8Q4kjlj
pLoOEg8pRQ+LESyIPZq+mb9awdhz6in9fgzUNHd+YZyfktQWU0cUJpqv7GFQQzie
opdKvi1whNax9qtDbo2VNMRsXGE2qw+KxoextcA7+zqdRmEOAK/V+QeLAec/Lr7l
kOwyCxTw3saHskNjTb9nb7l1m2NLou1KC66DWpwHGa33HC5d0GQgORF6Fhti34Ju
vsPD5jrg9s/QlUb3TY4fP3RIqQTO2kLNBCNPs60BlYRWCqWdKZxlyl900m9WsVcz
JXBxy2zCECf6N+K+OOGKcMauogLoHujH4nH/CnceCy87mPMCCf0EzrrwAcGR2m56
rB3WDQm+w7AyiFc=
=WSY7
-----END PGP SIGNATURE-----


M
M
Maxim Cournoyer wrote on 12 Nov 13:07 +0100
Re: bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability.
(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
875xos4pvu.fsf_-_@gmail.com
Hi,

"Ashish SHUKLA" <ashish.is@lostca.se> writes:

Toggle quote (97 lines)
> On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
>> Hello,
>>
>> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>>
>> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
>> >
>>
>> As curl causes a rebuild of just about everything, this will need to
>> done as a graft on master. (And ungrafted with a world rebuild on a
>> branch.) Would you like to take a stab at that?
>
> Prepared a new revision (attached) to add a new package 'curl/fixed'
> with just the fix from upstream applied[0][1].
>
> As for the actual update to 8.10.1, I can send a patch (either in this
> thread, or in separate issue report).
>
> Please let me know if something is amiss with my patch.
>
> References:
> [0] https://curl.se/docs/CVE-2024-8096.html
> [1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba
>
> Thanks!
> --
> Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
>
> "If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
>
> From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001
> Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is@lostca.se>
> From: Ashish SHUKLA <ashish.is@lostca.se>
> Date: Sat, 28 Sep 2024 01:40:45 +0200
> Subject: [PATCH v2] gnu: curl: Fix security vulnerability.
>
> Fixes CVE-2024-8096.
>
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl/fixed): New variable.
> * gnu/packages/patches/curl-CVE-2024-8096.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
>
> Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738
> ---
> gnu/local.mk | 1 +
> gnu/packages/curl.scm | 11 +
> gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++
> 3 files changed, 212 insertions(+)
> create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 9fdad12b63..a2215ad4c2 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1114,6 +1114,7 @@ dist_patch_DATA = \
> %D%/packages/patches/crda-optional-gcrypt.patch \
> %D%/packages/patches/clucene-contribs-lib.patch \
> %D%/packages/patches/cube-nocheck.patch \
> + %D%/packages/patches/curl-CVE-2024-8096.patch \
> %D%/packages/patches/curl-use-ssl-cert-env.patch \
> %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
> %D%/packages/patches/curlftpfs-fix-file-names.patch \
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..bbb266e236 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
> ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
> ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -67,6 +68,7 @@ (define-public curl
> (package
> (name "curl")
> (version "8.6.0")
> + (replacement curl/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "https://curl.se/download/curl-"
> @@ -176,6 +178,15 @@ (define-public curl
> "See COPYING in the distribution."))
> (home-page "https://curl.haxx.se/")))
>
> +(define-public curl/fixed
> + (hidden-package
> + (package
> + (inherit curl)
> + (replacement curl/fixed)
> + (source (origin
> + (inherit (package-source curl))
> + (patches (search-patches "curl-CVE-2024-8096.patch")))))))
> +

I've applied it already, but noticed after that this doesn't add the
curl patch 'curl-use-ssl-cert-env.patch'; which I've now fixed in commit
b10ce47d8b.

Closing!

--
Thanks,
Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 73361@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 73361
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch