[PATCH v2] gnu: curl: Fix security vulnerability.

Done

Details

3 participants

Ashish SHUKLA
John Kehayias
Maxim Cournoyer

Owner: unassigned

Submitted by: Ashish SHUKLA

Severity: normal

Ashish SHUKLA wrote on 19 Sep 17:17 +0200

[PATCH] gnu: curl: Update to 8.10.1 [security fixes].

Recipients:(address . guix-patches@gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)

Message-ID:5cadbf4fe10768fae553fd71f8b0edeb384c7fb0.1726759049.git.ashish.is@lostca.se

* gnu/packages/curl.scm (curl): Update to 8.10.1.

* gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.

Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8

---

gnu/packages/curl.scm | 5 ++-

.../patches/curl-use-ssl-cert-env.patch | 41 +++++++++----------

2 files changed, 23 insertions(+), 23 deletions(-)

Toggle diff (86 lines)diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..7ab886f195 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -16,6 +16,7 @@
 ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
 ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
 ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -66,14 +67,14 @@ (define-module (gnu packages curl)
 (define-public curl
   (package
     (name "curl")
-    (version "8.6.0")
+    (version "8.10.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://curl.se/download/curl-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+                "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
               (patches (search-patches "curl-use-ssl-cert-env.patch"))))
     (outputs '("out"
                "doc"))                  ;1.2 MiB of man3 pages
diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
index c39c1f7e98..2a57f0f8be 100644
--- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
+++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
@@ -37,28 +37,27 @@ for other future workarounds.
  #ifdef _WIN32
    Curl_win32_cleanup(easy_init_flags);
  #endif
-diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
---- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
-+++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
-@@ -524,6 +524,21 @@
-     if(result)
-       return result;
+--- curl-8.10.0/lib/url.c.orig	2024-09-17 16:57:50.407214691 +0000
++++ curl-8.10.0/lib/url.c	2024-09-17 16:59:47.507214691 +0000
+@@ -455,6 +455,21 @@
+ #endif
  #endif
-+    extern char * Curl_ssl_cert_dir;
-+    extern char * Curl_ssl_cert_file;
-+    if(Curl_ssl_cert_dir) {
-+        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
-+            return result;
-+        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
-+            return result;
-+    }
-+
-+    if(Curl_ssl_cert_file) {
-+        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
-+            return result;
-+        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
-+            return result;
-+    }
    }
++  extern char * Curl_ssl_cert_dir;
++  extern char * Curl_ssl_cert_file;
++  if(Curl_ssl_cert_dir) {
++      if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++          return result;
++      if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++          return result;
++  }
++
++  if(Curl_ssl_cert_file) {
++      if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++          return result;
++      if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++          return result;
++  }
  
+ #ifndef CURL_DISABLE_FTP
    set->wildcard_enabled = FALSE;

base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9
-- 
2.46.1

John Kehayias wrote on 27 Sep 20:52 +0200

Recipients:(name . Ashish SHUKLA)(address . ashish.is@lostca.se)(address . 73361@debbugs.gnu.org)

Message-ID:87tte13p5q.fsf@protonmail.com

Hello,

On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:

Toggle quote (3 lines)

> * gnu/packages/curl.scm (curl): Update to 8.10.1.

As curl causes a rebuild of just about everything, this will need to

done as a graft on master. (And ungrafted with a world rebuild on a

branch.) Would you like to take a stab at that?

Also, please note what the security fixes are (CVE numbers).

Thanks for the patch so far!

John

Toggle quote (92 lines)> * gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.
>
> Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8
> ---
>  gnu/packages/curl.scm                         |  5 ++-
>  .../patches/curl-use-ssl-cert-env.patch       | 41 +++++++++----------
>  2 files changed, 23 insertions(+), 23 deletions(-)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..7ab886f195 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
>  ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
>  ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
>  ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -66,14 +67,14 @@ (define-module (gnu packages curl)
>  (define-public curl
>    (package
>      (name "curl")
> -    (version "8.6.0")
> +    (version "8.10.1")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append "https://curl.se/download/curl-"
>                                    version ".tar.xz"))
>                (sha256
>                 (base32
> -                "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
> +                "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
>                (patches (search-patches "curl-use-ssl-cert-env.patch"))))
>      (outputs '("out"
>                 "doc"))                  ;1.2 MiB of man3 pages
> diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
> index c39c1f7e98..2a57f0f8be 100644
> --- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
> +++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
> @@ -37,28 +37,27 @@ for other future workarounds.
>   #ifdef _WIN32
>     Curl_win32_cleanup(easy_init_flags);
>   #endif
> -diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
> ---- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
> -+++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
> -@@ -524,6 +524,21 @@
> -     if(result)
> -       return result;
> +--- curl-8.10.0/lib/url.c.orig	2024-09-17 16:57:50.407214691 +0000
> ++++ curl-8.10.0/lib/url.c	2024-09-17 16:59:47.507214691 +0000
> +@@ -455,6 +455,21 @@
> + #endif
>   #endif
> -+    extern char * Curl_ssl_cert_dir;
> -+    extern char * Curl_ssl_cert_file;
> -+    if(Curl_ssl_cert_dir) {
> -+        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
> -+            return result;
> -+        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
> -+            return result;
> -+    }
> -+
> -+    if(Curl_ssl_cert_file) {
> -+        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
> -+            return result;
> -+        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
> -+            return result;
> -+    }
>     }
> ++  extern char * Curl_ssl_cert_dir;
> ++  extern char * Curl_ssl_cert_file;
> ++  if(Curl_ssl_cert_dir) {
> ++      if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
> ++          return result;
> ++      if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
> ++          return result;
> ++  }
> ++
> ++  if(Curl_ssl_cert_file) {
> ++      if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
> ++          return result;
> ++      if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
> ++          return result;
> ++  }
>
> + #ifndef CURL_DISABLE_FTP
>     set->wildcard_enabled = FALSE;
>
> base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9

Ashish SHUKLA wrote on 28 Sep 03:24 +0200

Recipients:(name . John Kehayias)(address . john.kehayias@protonmail.com)(address . 73361@debbugs.gnu.org)

Message-ID:D4HIWPATGQQC.3757G1T13L90I@lostca.se

On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:

Toggle quote (11 lines)> Hello,
>
> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>
> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
> >
>
> As curl causes a rebuild of just about everything, this will need to
> done as a graft on master. (And ungrafted with a world rebuild on a
> branch.) Would you like to take a stab at that?

Prepared a new revision (attached) to add a new package 'curl/fixed'

with just the fix from upstream applied[0][1].

As for the actual update to 8.10.1, I can send a patch (either in this

thread, or in separate issue report).

Please let me know if something is amiss with my patch.

References:

[0] https://curl.se/docs/CVE-2024-8096.html

[1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba

Thanks!

Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0

"If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)

Attachment: v2-0001-gnu-curl-Fix-security-vulnerability.patch

Ashish SHUKLA wrote on 28 Sep 03:28 +0200

retitle bug report

Recipients:(address . control@debbugs.gnu.org)

Message-ID:D4HIZU3RX9G1.13Y9E0T7UHCQD@lostca.se

retitle 73361 [PATCH v2] gnu: curl: Fix security vulnerability.

quit

Maxim Cournoyer wrote on 12 Nov 13:07 +0100

Re: bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability.

Recipients:(name . Ashish SHUKLA)(address . ashish.is@lostca.se)

Message-ID:875xos4pvu.fsf_-_@gmail.com

Hi,

"Ashish SHUKLA" <ashish.is@lostca.se> writes:

Toggle quote (97 lines)> On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
>> Hello,
>>
>> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>>
>> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
>> >
>>
>> As curl causes a rebuild of just about everything, this will need to
>> done as a graft on master. (And ungrafted with a world rebuild on a
>> branch.) Would you like to take a stab at that?
>
> Prepared a new revision (attached) to add a new package 'curl/fixed' 
> with just the fix from upstream applied[0][1].
>
> As for the actual update to 8.10.1, I can send a patch (either in this 
> thread, or in separate issue report).
>
> Please let me know if something is amiss with my patch.
>
> References:
> [0] https://curl.se/docs/CVE-2024-8096.html
> [1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba
>
> Thanks!
> --
> Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116  20B6 C746 CFA9 E74F A4B0
>
> "If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
>
> From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001
> Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is@lostca.se>
> From: Ashish SHUKLA <ashish.is@lostca.se>
> Date: Sat, 28 Sep 2024 01:40:45 +0200
> Subject: [PATCH v2] gnu: curl: Fix security vulnerability.
>
> Fixes CVE-2024-8096.
>
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl/fixed): New variable.
> * gnu/packages/patches/curl-CVE-2024-8096.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
>
> Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738
> ---
>  gnu/local.mk                                  |   1 +
>  gnu/packages/curl.scm                         |  11 +
>  gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++
>  3 files changed, 212 insertions(+)
>  create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 9fdad12b63..a2215ad4c2 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1114,6 +1114,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/crda-optional-gcrypt.patch		\
>    %D%/packages/patches/clucene-contribs-lib.patch               \
>    %D%/packages/patches/cube-nocheck.patch			\
> +  %D%/packages/patches/curl-CVE-2024-8096.patch			\
>    %D%/packages/patches/curl-use-ssl-cert-env.patch		\
>    %D%/packages/patches/curlftpfs-fix-error-closing-file.patch	\
>    %D%/packages/patches/curlftpfs-fix-file-names.patch		\
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..bbb266e236 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
>  ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
>  ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
>  ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -67,6 +68,7 @@ (define-public curl
>    (package
>      (name "curl")
>      (version "8.6.0")
> +    (replacement curl/fixed)
>      (source (origin
>                (method url-fetch)
>                (uri (string-append "https://curl.se/download/curl-"
> @@ -176,6 +178,15 @@ (define-public curl
>                                     "See COPYING in the distribution."))
>      (home-page "https://curl.haxx.se/")))
>  
> +(define-public curl/fixed
> +  (hidden-package
> +   (package
> +     (inherit curl)
> +     (replacement curl/fixed)
> +     (source (origin
> +               (inherit (package-source curl))
> +               (patches (search-patches "curl-CVE-2024-8096.patch")))))))
> +

I've applied it already, but noticed after that this doesn't add the

curl patch 'curl-use-ssl-cert-env.patch'; which I've now fixed in commit

b10ce47d8b.

Closing!

Thanks,

Maxim

Closed

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 73361@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 73361

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date