From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id SL0bKrNxZ2DdzwAAgWs5BA (envelope-from ) for ; Fri, 02 Apr 2021 21:34:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id oHsQJLNxZ2CYaQAA1q6Kng (envelope-from ) for ; Fri, 02 Apr 2021 19:34:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0733E20BE9 for ; Fri, 2 Apr 2021 21:34:11 +0200 (CEST) Received: from localhost ([::1]:58354 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSPYX-0006xE-UI for larch@yhetil.org; Fri, 02 Apr 2021 15:34:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42324) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSPYQ-0006wx-O4 for bug-guix@gnu.org; Fri, 02 Apr 2021 15:34:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49568) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSPYQ-0006IR-Gk for bug-guix@gnu.org; Fri, 02 Apr 2021 15:34:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSPYQ-0001cA-DQ for bug-guix@gnu.org; Fri, 02 Apr 2021 15:34:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47563: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes]. References: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> In-Reply-To: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Apr 2021 19:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47563 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47563@debbugs.gnu.org Cc: =?UTF-8?Q?L=C3=A9o?= Le Bouter Received: via spool by 47563-submit@debbugs.gnu.org id=B47563.16173919946147 (code B ref 47563); Fri, 02 Apr 2021 19:34:02 +0000 Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 19:33:14 +0000 Received: from localhost ([127.0.0.1]:32881 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSPXd-0001b5-Ql for submit@debbugs.gnu.org; Fri, 02 Apr 2021 15:33:14 -0400 Received: from mail.zaclys.net ([178.33.93.72]:52469) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSPXb-0001aq-MX for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 15:33:12 -0400 Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132JX4OC006117 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 2 Apr 2021 21:33:05 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132JX4OC006117 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617391985; bh=D3NhbkaPee69MUjxRBkGyg/sTs14mEVD9ORoKc7Zl5A=; h=From:To:Cc:Subject:Date:From; b=RD/giAspitxCkjzRLYpseOYXRQuEJ9zBFPSd2UkocEV74xOVTIdtvDR9eelzvW1E5 lSe6g80M9vvsoolsQq3DcMV9gnoaC2J4YxPxskGGKkYEoRG+WFCAbyan2ROoFH7bt+ gwHXnwRFog3jvQiRfrTRn3CdnMMd45J8hMm2nrSU= Date: Fri, 2 Apr 2021 21:33:02 +0200 Message-Id: <20210402193302.23602-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617392051; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=D3NhbkaPee69MUjxRBkGyg/sTs14mEVD9ORoKc7Zl5A=; b=e0ETaTPHBwa1erSrd1vMcgKn7Q+E09ME4rkiU1XZG0Qo9b1Yx9kfC0eHn5U1WppAwv66gN CmvpZc2lz6VG78Kc5LD5f2G9N056vmGP6NbuRD4YCZqJSiJy7QvQ2XFWr1PsX5tYkySmVx lFXIlbF+QgCqmHX84vMQ6dFT99DRXUuVaWwb56w4UNIDCJzsQhEQ0RpzT8HC9S6Q7T2dJ8 jRrSAxUyYVplHVh4gpz6iQOYrfcBoo3HRYaR9ZruHePi7uJxdBVjmxDGcBM7UdH3Jx4Iya qYgHLv4dGcse7LeTuTSRKVlwoIcUP5C+adyY4AH/WQp96GgB4PJqcEf8Xa/DyQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617392051; a=rsa-sha256; cv=none; b=PMvFCkkkYxNhKNl9xoDo4r7gFcq6NYcpvP13H0X2T6ZhTzcQTM0j3MvwAtGjZY/V/en3bU 8Eh7K0HP2/nmygxmBfon20jTY9OdLlmnDqNPTB+s1kq4BGO5wk/cDqdXGVVMlck7+u6A6j eyKefdfvSjpvGrP89miLlApbyshXXEfl4n+8BHffQkJLLeWdFW9qJPsdVIl/6RkXzTnE/k pt3Se5xzdUZF3B8rKctipJYTwXOxrpP9MYZr4FCQSzb2E27gMHjifCC5GT4vA48kbDG7pv zMGZNglRqoNsIGMQ1o5aC40izmv8c5uQjLV146XkU+JndMVDcf16m1QzUAHVzA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b="RD/giAsp"; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: 2.57 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b="RD/giAsp"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 0733E20BE9 X-Spam-Score: 2.57 X-Migadu-Scanner: scn0.migadu.com X-TUID: VQjAnM8XrXgh Fixes CVE-2021-22876 and CVE-2021-22890. * gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/curl.scm (curl/fixed): New variable. Apply patch. (curl)[replacement]: Graft. --- gnu/local.mk | 1 + gnu/packages/curl.scm | 15 +++++ .../patches/curl-7.76-use-ssl-cert-env.patch | 64 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1a767a6c89..0d472072ae 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -920,6 +920,7 @@ dist_patch_DATA = \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ + %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-CVE-2017-12836.patch \ %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 730676875c..94dc51cfc5 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -62,6 +62,7 @@ (base32 "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr")) (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (replacement curl/fixed) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.2 MiB of man3 pages @@ -151,6 +152,20 @@ tunneling, and so on.") (name "curl-minimal") (inputs (alist-delete "openldap" (package-inputs curl)))))) +(define-public curl/fixed + (package + (inherit curl) + (version "7.76.0") + (source + (origin + (inherit (package-source curl)) + (uri (string-append "https://curl.haxx.se/download/curl-" + version ".tar.xz")) + (patches (search-patches "curl-7.76-use-ssl-cert-env.patch")) + (sha256 + (base32 + "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3")))))) + (define-public kurly (package (name "kurly") diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch new file mode 100644 index 0000000000..24be6e31d9 --- /dev/null +++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch @@ -0,0 +1,64 @@ +Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables +are fetched during initialization to preserve thread-safety (curl_global_init(3) +must be called when no other threads exist). + +This fixes network functionality in rust:cargo, and probably removes the need +for other future workarounds. +=================================================================== +--- curl-7.66.0.orig/lib/easy.c 2020-01-02 15:43:11.883921171 +0100 ++++ curl-7.66.0/lib/easy.c 2020-01-02 16:18:54.691882797 +0100 +@@ -134,6 +134,9 @@ + # pragma warning(default:4232) /* MSVC extension, dllimport identity */ + #endif + ++char * Curl_ssl_cert_dir = NULL; ++char * Curl_ssl_cert_file = NULL; ++ + /** + * curl_global_init() globally initializes curl given a bitwise set of the + * different features of what to initialize. +@@ -155,6 +158,9 @@ + #endif + } + ++ Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR"); ++ Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE"); ++ + if(!Curl_ssl_init()) { + DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n")); + return CURLE_FAILED_INIT; +@@ -260,6 +266,9 @@ + Curl_ssl_cleanup(); + Curl_resolver_global_cleanup(); + ++ free(Curl_ssl_cert_dir); ++ free(Curl_ssl_cert_file); ++ + #ifdef WIN32 + Curl_win32_cleanup(init_flags); + #endif +diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c +--- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100 ++++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100 +@@ -524,6 +524,21 @@ + if(result) + return result; + #endif ++ extern char * Curl_ssl_cert_dir; ++ extern char * Curl_ssl_cert_file; ++ if(Curl_ssl_cert_dir) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) ++ return result; ++ } ++ ++ if(Curl_ssl_cert_file) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) ++ return result; ++ } + } + + set->wildcard_enabled = FALSE; -- 2.31.1