From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id wA44JhBhZ2AaqwAAgWs5BA (envelope-from ) for ; Fri, 02 Apr 2021 20:23:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id EC4kIBBhZ2BPDwAA1q6Kng (envelope-from ) for ; Fri, 02 Apr 2021 18:23:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9EC0828C8B for ; Fri, 2 Apr 2021 20:23:11 +0200 (CEST) Received: from localhost ([::1]:52158 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSORq-0005BN-B0 for larch@yhetil.org; Fri, 02 Apr 2021 14:23:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58006) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSORi-0005Ap-04 for bug-guix@gnu.org; Fri, 02 Apr 2021 14:23:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49522) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSORh-0002rI-Or for bug-guix@gnu.org; Fri, 02 Apr 2021 14:23:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSORh-0008JS-KA for bug-guix@gnu.org; Fri, 02 Apr 2021 14:23:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Apr 2021 18:23:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47563 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47563@debbugs.gnu.org X-Debbugs-Original-To: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Debbugs-Original-Cc: 47563@debbugs.gnu.org, =?UTF-8?Q?L=C3=A9o?= Le Bouter Received: via spool by submit@debbugs.gnu.org id=B.161738773531886 (code B ref -1); Fri, 02 Apr 2021 18:23:01 +0000 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 18:22:15 +0000 Received: from localhost ([127.0.0.1]:32831 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSOQx-0008IE-1f for submit@debbugs.gnu.org; Fri, 02 Apr 2021 14:22:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:53714) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSOQw-0008I7-2a for submit@debbugs.gnu.org; Fri, 02 Apr 2021 14:22:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57640) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSOQv-00056Z-T1 for bug-guix@gnu.org; Fri, 02 Apr 2021 14:22:13 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:35967) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSOQt-0002JJ-Hs for bug-guix@gnu.org; Fri, 02 Apr 2021 14:22:13 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 603DF140F; Fri, 2 Apr 2021 14:22:09 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Fri, 02 Apr 2021 14:22:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=WN7333Uihk+Dcj7iUGeSry1XF50ie7TW5H6Mh5Q2uis=; b=c0nDoXjYC3OZ rcTBOVlpMc0aqFB/7tDy+JDYGd2a/U66FTcVWWoeEzYo3xQtrQXwESxtsuVOap+D F49E0ZphWI1fi/z3r+R0QVDh2VGemqvpjMHa8GAjqDq29F8vJV3ckzdd9q0AL1yj R6yVYiybvxwTSNNy5i/HAakpp5jjQp4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=WN7333Uihk+Dcj7iUGeSry1XF50ie7TW5H6Mh5Q2u is=; b=CSvo0b2cj9i1K30MSPmbcEF27rnFrckku3xdv0n4225cze58BbzC/kI9v b4cX5QrK+VA4vwefpVTTmnZsGPmcsPwgDElcurE29uWH7xuZ2d1aAx8Dd2OydwSJ 3f8TPN27Q1VVXwOKjWLX01seaOfLN+iRtxOFzI5SoH2K5y8fcnjiijUseGXqJrAg QBlS+PgSMQrFF8o0XG0XclttnrpzQXTOKrDr31DUry6U2P3i70wPedTF0X5nI9Oc zHdEmFmkuU816NsMsXZ48wVvod+QiHNyhYZVfSgcvC+qWioivjf0aVITEjqJrUJO nPipQwQHmtIQkzp+pSRHdKnvaujUQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiiedguddvudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggugfgjsehtkeertddttddunecuhfhrohhmpefnvgho ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg htthgvrhhnpeejgfeileekhefgjeduteffhfefveffjeefheelfeduteevfeeujeevleff jeejjeenucffohhmrghinhepghhnuhdrohhrghdptghurhhlrdhsvgenucfkphepieelrd duvddtrdelvddrvddtkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 4B0C91080057; Fri, 2 Apr 2021 14:22:08 -0400 (EDT) Date: Fri, 2 Apr 2021 14:22:06 -0400 From: Leo Famulari Message-ID: References: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> <20210402140940.28300-1-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20210402140940.28300-1-lle-bout@zaclys.net> Received-SPF: pass client-ip=64.147.123.20; envelope-from=leo@famulari.name; helo=wout4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617387792; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=WN7333Uihk+Dcj7iUGeSry1XF50ie7TW5H6Mh5Q2uis=; b=KLUxyyqTf2iZ1zRS3VzivhoLNRS6J6SWiW3yskEjg4WvZKWdUDhhMpKrQlROuaBdPFPUog yI7MGLhyMQ3t0A7H/5y+Q8tPUwSBl1+8m3nxxrWhXGkNHT5rNdOKIJM46Jdizjbso2SpdU esMvxuYuOt2JNQCA4u3tdbAYMcPomN6vYrUtN/o9rWCsXeN1aPFyzVJlgazFMfo3u0k5/G 9oqXsgYANbcUmGESqrimKVzY9CY9+zTiaWVS0iQQZklbvOjOUiJQTBYXu6bPggBhWhy6nt 5eHemtaltc4UB+Sy0SapVf7ezhzciCbbf441PNCL8jWgQDyGkYh0SpIZJAXvnA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617387792; a=rsa-sha256; cv=none; b=RJKmoT2aoaLfh13rjfgaGn0/h7kIlZcPbbEKxztlXXK4Z46whXxIdqo/QxGfVJIpAzzQDM sHi0PjJPz4sHU8vwO23IaNGKxGFxH/7RdWvhCMfp+VtVMMJxz6LxVL/hic9jlOusQnNxpY LQ7TRkwPW5izS+GaZhYSkasiIPwuglKW/ObPW+2eCjz0gP8yFuRPADRdHvp5tla1lIcAle 1YFIMXfeOXuxML4AQb/U9/Y0FSrz8cjwTGgpfJcRiDZIcQCiU7fWs8RTwn8GJm+0seuKvm 5YzmC2Qgj/BM+24ch6uwyi3vugXsQyDMfJX6/7PkpiMc6LybX66X91O9YTi1sg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=c0nDoXjY; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=CSvo0b2c; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: 0.07 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=c0nDoXjY; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=CSvo0b2c; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 9EC0828C8B X-Spam-Score: 0.07 X-Migadu-Scanner: scn0.migadu.com X-TUID: W/8s/IQCP5mB On Fri, Apr 02, 2021 at 04:09:39PM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote: > curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch > does not apply and please I need help rebasing it, it looks quite complex. > > I pushed an upgrade of curl to 7.76.0 which has been much much easier to > core-updates already as > https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf > but unfortunately since curl requires so many rebuilds it seems we can't use > such commit on master for now. Can we try grafting an "upgrade" to 7.76.0? In my experience, most curl upgrades are graftable. Curl's developers are very careful with their ABI and even maintain their own page on the subject: