unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / Atom feed
* bug#47563: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876
@ 2021-04-02 14:04 Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 14:09 ` bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890 Léo Le Bouter via Bug reports for GNU Guix
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-02 14:04 UTC (permalink / raw)
  To: 47563

[-- Attachment #1: Type: text/plain, Size: 1416 bytes --]

CVE-2021-22890	01.04.21 20:15
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows
a malicious HTTPS proxy to MITM a connection due to bad handling of TLS
1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can
confuse session tickets arriving from the HTTPS proxy but work as if
they arrived from the remote server and then wrongly "short-cut" the
host handshake. When confusing the tickets, a HTTPS proxy can trick
libcurl to use the wrong session ticket resume for the host and thereby
circumvent the server TLS certificate check and make a MITM attack to
be possible to perform unnoticed. Note that such a malicious HTTPS
proxy needs to provide a certificate that curl will accept for the
MITMed server for an attack to work - unless curl has been told to
ignore the server certificate check.

CVE-2021-22876	01.04.21 20:15
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of
Private Personal Information to an Unauthorized Actor" by leaking
credentials in the HTTP Referer: header. libcurl does not strip off
user credentials from the URL when automatically populating the
Referer: HTTP request header field in outgoing HTTP requests, and
therefore risks leaking sensitive data to the server that is the target
of the second HTTP request.

A WIP patch will follow, please help finishing it (rebase curl-CVE-
2021-22890.patch on 7.74.0).

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.
  2021-04-02 14:04 bug#47563: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876 Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 14:09 ` Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 14:09   ` bug#47563: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 18:22   ` bug#47563: [PATCH 0/1] " Leo Famulari
  2021-04-02 19:24 ` bug#47563: [PATCH] gnu: curl: Update to 7.76.0 [security fixes] Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 19:33 ` bug#47563: [PATCH v2] " Léo Le Bouter via Bug reports for GNU Guix
  2 siblings, 2 replies; 10+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-02 14:09 UTC (permalink / raw)
  To: 47563; +Cc: Léo Le Bouter

curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch
does not apply and please I need help rebasing it, it looks quite complex.

I pushed an upgrade of curl to 7.76.0 which has been much much easier to
core-updates already as
https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf
but unfortunately since curl requires so many rebuilds it seems we can't use
such commit on master for now.

Léo Le Bouter (1):
  gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.

 gnu/local.mk                                  |   2 +
 gnu/packages/curl.scm                         |   4 +-
 .../patches/curl-CVE-2021-22876.patch         | 147 ++++++
 .../patches/curl-CVE-2021-22890.patch         | 499 ++++++++++++++++++
 4 files changed, 651 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch
 create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch

-- 
2.31.1





^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH 1/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.
  2021-04-02 14:09 ` bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890 Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 14:09   ` Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 18:22   ` bug#47563: [PATCH 0/1] " Leo Famulari
  1 sibling, 0 replies; 10+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-02 14:09 UTC (permalink / raw)
  To: 47563; +Cc: Léo Le Bouter

* gnu/packages/patches/curl-CVE-2021-22876.patch,
gnu/packages/patches/curl-CVE-2021-22890.patch: New patches.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/curl.scm (curl): Apply patches.
---
 gnu/local.mk                                  |   2 +
 gnu/packages/curl.scm                         |   4 +-
 .../patches/curl-CVE-2021-22876.patch         | 147 ++++++
 .../patches/curl-CVE-2021-22890.patch         | 499 ++++++++++++++++++
 4 files changed, 651 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch
 create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index f2d595f2cc..cf6f35363f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -919,6 +919,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/crda-optional-gcrypt.patch		\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
+  %D%/packages/patches/curl-CVE-2021-22890.patch		\
+  %D%/packages/patches/curl-CVE-2021-22876.patch		\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-CVE-2017-12836.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 730676875c..fa02f281cf 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -61,7 +61,9 @@
              (sha256
               (base32
                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
-             (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+             (patches (search-patches "curl-use-ssl-cert-env.patch"
+                                      "curl-CVE-2021-22876.patch"
+                                      "curl-CVE-2021-22890.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
diff --git a/gnu/packages/patches/curl-CVE-2021-22876.patch b/gnu/packages/patches/curl-CVE-2021-22876.patch
new file mode 100644
index 0000000000..b67a1be16a
--- /dev/null
+++ b/gnu/packages/patches/curl-CVE-2021-22876.patch
@@ -0,0 +1,147 @@
+From 7214288898f5625a6cc196e22a74232eada7861c Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Tue, 23 Feb 2021 14:54:46 +0100
+Subject: [PATCH] transfer: strip credentials from the auto-referer header
+ field
+
+Added test 2081 to verify.
+
+CVE-2021-22876
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+---
+ lib/transfer.c          | 25 ++++++++++++++--
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test2081     | 66 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 90 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test2081
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 1976bc0338bc..a68c021c84d6 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1581,6 +1581,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       data->state.followlocation++; /* count location-followers */
+ 
+       if(data->set.http_auto_referer) {
++        CURLU *u;
++        char *referer;
++
+         /* We are asked to automatically set the previous URL as the referer
+            when we get the next URL. We pick the ->url field, which may or may
+            not be 100% correct */
+@@ -1590,9 +1593,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
+           data->change.referer_alloc = FALSE;
+         }
+ 
+-        data->change.referer = strdup(data->change.url);
+-        if(!data->change.referer)
++        /* Make a copy of the URL without crenditals and fragment */
++        u = curl_url();
++        if(!u)
++          return CURLE_OUT_OF_MEMORY;
++
++        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++        if(!uc)
++          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++        curl_url_cleanup(u);
++
++        if(uc || referer == NULL)
+           return CURLE_OUT_OF_MEMORY;
++
++        data->change.referer = referer;
+         data->change.referer_alloc = TRUE; /* yes, free this later */
+       }
+     }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 2c7a0ca89fd8..ea52683d2254 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -225,7 +225,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \
+ test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
+          test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
+ test2078 \
+-test2080 \
++test2080 test2081 \
+ test2100 \
+ \
+ test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \
+diff --git a/tests/data/test2081 b/tests/data/test2081
+new file mode 100644
+index 000000000000..a6733e737beb
+--- /dev/null
++++ b/tests/data/test2081
+@@ -0,0 +1,66 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++referer
++followlocation
++--write-out
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 301 This is a weirdo text message swsclose\r
++Location: data/%TESTNUMBER0002.txt?coolsite=yes\r
++Content-Length: 62\r
++Connection: close\r
++\r
++This server reply is for testing a simple Location: following
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Automatic referrer credential and anchor stripping check
++ </name>
++ <command>
++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n'
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++52
++</errorcode>
++<protocol>
++GET /we/want/our/%TESTNUMBER HTTP/1.1\r
++Host: %HOSTIP:%HTTPPORT\r
++Authorization: Basic dXNlcjpwYXNz\r
++User-Agent: curl/%VERSION\r
++Accept: */*\r
++\r
++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1\r
++Host: %HOSTIP:%HTTPPORT\r
++Authorization: Basic dXNlcjpwYXNz\r
++User-Agent: curl/%VERSION\r
++Accept: */*\r
++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER\r
++\r
++</protocol>
++<stdout>
++HTTP/1.1 301 This is a weirdo text message swsclose\r
++Location: data/%TESTNUMBER0002.txt?coolsite=yes\r
++Content-Length: 62\r
++Connection: close\r
++\r
++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++</stdout>
++</verify>
++</testcase>
diff --git a/gnu/packages/patches/curl-CVE-2021-22890.patch b/gnu/packages/patches/curl-CVE-2021-22890.patch
new file mode 100644
index 0000000000..f01bc20530
--- /dev/null
+++ b/gnu/packages/patches/curl-CVE-2021-22890.patch
@@ -0,0 +1,499 @@
+From b09c8ee15771c614c4bf3ddac893cdb12187c844 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 19 Mar 2021 12:38:49 +0100
+Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+
+To make sure we set and extract the correct session.
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+
+CVE-2021-22890
+---
+ lib/vtls/bearssl.c   |  8 +++++--
+ lib/vtls/gtls.c      | 12 ++++++----
+ lib/vtls/mbedtls.c   | 12 ++++++----
+ lib/vtls/mesalink.c  | 14 ++++++++----
+ lib/vtls/openssl.c   | 54 +++++++++++++++++++++++++++++++++-----------
+ lib/vtls/schannel.c  | 10 ++++----
+ lib/vtls/sectransp.c | 10 ++++----
+ lib/vtls/vtls.c      | 12 +++++++---
+ lib/vtls/vtls.h      |  2 ++
+ lib/vtls/wolfssl.c   | 13 +++++++----
+ 10 files changed, 103 insertions(+), 44 deletions(-)
+
+diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
+index 36c32d8d55be..39fc1a29209c 100644
+--- a/lib/vtls/bearssl.c
++++ b/lib/vtls/bearssl.c
+@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data,
+     void *session;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &session, NULL, sockindex)) {
+       br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
+       infof(data, "BearSSL: re-using session ID\n");
+     }
+@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data,
+     br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
+     Curl_ssl_sessionid_lock(data);
+     incache = !(Curl_ssl_getsessionid(data, conn,
++                                      SSL_IS_PROXY() ? TRUE : FALSE,
+                                       &oldsession, NULL, sockindex));
+     if(incache)
+       Curl_ssl_delsessionid(data, oldsession);
+-    ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
++    ret = Curl_ssl_addsessionid(data, conn,
++                                SSL_IS_PROXY() ? TRUE : FALSE,
++                                session, 0, sockindex);
+     Curl_ssl_sessionid_unlock(data);
+     if(ret) {
+       free(session);
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index a75937b4646c..3b0d940a60e1 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -727,6 +727,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ 
+     Curl_ssl_sessionid_lock(data);
+     if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
+                               &ssl_sessionid, &ssl_idsize, sockindex)) {
+       /* we got a session id, use it! */
+       gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+@@ -1286,8 +1287,9 @@ gtls_connect_step3(struct Curl_easy *data,
+       gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+ 
+       Curl_ssl_sessionid_lock(data);
+-      incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
+-                                        sockindex));
++      incache = !(Curl_ssl_getsessionid(data, conn,
++                                        SSL_IS_PROXY() ? TRUE : FALSE,
++                                        &ssl_sessionid, NULL, sockindex));
+       if(incache) {
+         /* there was one before in the cache, so instead of risking that the
+            previous one was rejected, we just kill that and store the new */
+@@ -1295,8 +1297,10 @@ gtls_connect_step3(struct Curl_easy *data,
+       }
+ 
+       /* store this session id */
+-      result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
+-                                     connect_idsize, sockindex);
++      result = Curl_ssl_addsessionid(data, conn,
++                                     SSL_IS_PROXY() ? TRUE : FALSE,
++                                     connect_sessionid, connect_idsize,
++                                     sockindex);
+       Curl_ssl_sessionid_unlock(data);
+       if(result) {
+         free(connect_sessionid);
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index 95cd4d99b665..93a7ac1fd87d 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
++                              &old_session, NULL, sockindex)) {
+       ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
+       if(ret) {
+         Curl_ssl_sessionid_unlock(data);
+@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+     if(!our_ssl_sessionid)
+@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ 
+     /* If there's already a matching session in the cache, delete it */
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
++    if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
++                              sockindex))
+       Curl_ssl_delsessionid(data, old_ssl_sessionid);
+ 
+-    retcode = Curl_ssl_addsessionid(data, conn,
+-                                    our_ssl_sessionid, 0, sockindex);
++    retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
++                                    0, sockindex);
+     Curl_ssl_sessionid_unlock(data);
+     if(retcode) {
+       mbedtls_ssl_session_free(our_ssl_sessionid);
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index 4f1ab8627f49..5d6a1495d790 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data,
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(data);
+@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+ 
+     Curl_ssl_sessionid_lock(data);
+     incache =
+-      !(Curl_ssl_getsessionid(data, conn,
+-                              &old_ssl_sessionid, NULL, sockindex));
++      !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
++                              sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != our_ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+     }
+ 
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(
+-        data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
++      result =
++        Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0,
++                              sockindex);
+       if(result) {
+         Curl_ssl_sessionid_unlock(data);
+         failf(data, "failed to store ssl session");
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 498f8b9d1d08..68b98984b460 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -393,12 +393,23 @@ static int ossl_get_ssl_conn_index(void)
+  */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+-  static int ssl_ex_data_sockindex_index = -1;
+-  if(ssl_ex_data_sockindex_index < 0) {
+-    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+-        NULL);
++  static int sockindex_index = -1;
++  if(sockindex_index < 0) {
++    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+   }
+-  return ssl_ex_data_sockindex_index;
++  return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++  static int proxy_index = -1;
++  if(proxy_index < 0) {
++    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++  }
++  return proxy_index;
+ }
+ 
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1174,7 +1185,7 @@ static int ossl_init(void)
+ 
+   /* Initialize the extra data indexes */
+   if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
+-     ossl_get_ssl_sockindex_index() < 0)
++     ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
+     return 0;
+ 
+   return 1;
+@@ -2432,8 +2443,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   int data_idx = ossl_get_ssl_data_index();
+   int connectdata_idx = ossl_get_ssl_conn_index();
+   int sockindex_idx = ossl_get_ssl_sockindex_index();
++  int proxy_idx = ossl_get_proxy_index();
++  bool isproxy;
+ 
+-  if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
++  if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+     return 0;
+ 
+   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2446,13 +2459,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+   sockindex = (int)(sockindex_ptr - conn->sock);
+ 
++  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     void *old_ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
+-                                      sockindex));
++    if(isproxy)
++      incache = FALSE;
++    else
++      incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++                                        &old_ssl_sessionid, NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -2462,8 +2480,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+     }
+ 
+     if(!incache) {
+-      if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
+-                                      0 /* unknown size */, sockindex)) {
++      if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
++                                0 /* unknown size */, sockindex)) {
+         /* the session has been put into the session cache */
+         res = 1;
+       }
+@@ -3193,17 +3211,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+     int data_idx = ossl_get_ssl_data_index();
+     int connectdata_idx = ossl_get_ssl_conn_index();
+     int sockindex_idx = ossl_get_ssl_sockindex_index();
++    int proxy_idx = ossl_get_proxy_index();
+ 
+-    if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
++    if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
++       proxy_idx >= 0) {
+       /* Store the data needed for the "new session" callback.
+        * The sockindex is stored as a pointer to an array element. */
+       SSL_set_ex_data(backend->handle, data_idx, data);
+       SSL_set_ex_data(backend->handle, connectdata_idx, conn);
+       SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++      SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++                      NULL);
++#else
++      SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++#endif
++
+     }
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(data);
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index d7b89d43f892..931bd853eb8e 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(data);
+     if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
+                               (void **)&old_cred, NULL, sockindex)) {
+       BACKEND->cred = old_cred;
+       DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+   SECURITY_STATUS sspi_status = SEC_E_OK;
+   CERT_CONTEXT *ccert_context = NULL;
++  bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+     struct Curl_schannel_cred *old_cred = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
+-                                      sockindex));
++    incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred,
++                                      NULL, sockindex));
+     if(incache) {
+       if(old_cred != BACKEND->cred) {
+         DEBUGF(infof(data,
+@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+       }
+     }
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
++      result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred,
+                                      sizeof(struct Curl_schannel_cred),
+                                      sockindex);
+       if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 05b57dfaad91..e69b99b72cd6 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+ #ifndef CURL_DISABLE_PROXY
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++  bool isproxy = SSL_IS_PROXY();
++  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #else
++  const isproxy = FALSE;
+   const char * const hostname = conn->host.name;
+   const long int port = conn->remote_port;
+ #endif
+@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ #ifdef USE_NGHTTP2
+       if(data->state.httpversion >= CURL_HTTP_VERSION_2
+ #ifndef CURL_DISABLE_PROXY
+-         && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
++         && (!isproxy || !conn->bits.tunnel_proxy)
+ #endif
+         ) {
+         CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+     size_t ssl_sessionid_len;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
++    if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid,
+                               &ssl_sessionid_len, sockindex)) {
+       /* we got a session id, use it! */
+       err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+         return CURLE_SSL_CONNECT_ERROR;
+       }
+ 
+-      result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
++      result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
+                                      ssl_sessionid_len, sockindex);
+       Curl_ssl_sessionid_unlock(data);
+       if(result) {
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 6a0069237fdb..95fd6356285f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
+  */
+ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+                            struct connectdata *conn,
++                           const bool isProxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex)
+@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+   bool no_match = TRUE;
+ 
+ #ifndef CURL_DISABLE_PROXY
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+   struct ssl_primary_config * const ssl_config = &conn->ssl_config;
+   const char * const name = conn->host.name;
+   int port = conn->remote_port;
+-  (void)sockindex;
+ #endif
++  (void)sockindex;
+   *ssl_sessionid = NULL;
+ 
++#ifdef CURL_DISABLE_PROXY
++  if(isProxy)
++    return TRUE;
++#endif
++
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   if(!SSL_SET_OPTION(primary.sessionid))
+@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
+  */
+ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+                                struct connectdata *conn,
++                               bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex)
+@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+   int conn_to_port;
+   long *general_age;
+ #ifndef CURL_DISABLE_PROXY
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+   const char *hostname = conn->host.name;
+   (void)sockindex;
+ #endif
++  (void)sockindex;
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   clone_host = strdup(hostname);
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index 273184f1894a..2b43e7744b19 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -235,6 +235,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
+  */
+ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+                            struct connectdata *conn,
++                           const bool isproxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex);
+@@ -245,6 +246,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+  */
+ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+                                struct connectdata *conn,
++                               const bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex);
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index 7159ac9d5e64..8fb2ea7acf31 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+         char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -772,11 +774,12 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+     bool incache;
+     void *old_ssl_sessionid = NULL;
+     SSL_SESSION *our_ssl_sessionid = SSL_get_session(backend->handle);
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     if(our_ssl_sessionid) {
+       Curl_ssl_sessionid_lock(data);
+-      incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
+-                                        sockindex));
++      incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++                                        &old_ssl_sessionid, NULL, sockindex));
+       if(incache) {
+         if(old_ssl_sessionid != our_ssl_sessionid) {
+           infof(data, "old SSL session ID is stale, removing\n");
+@@ -786,8 +789,8 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+       }
+ 
+       if(!incache) {
+-        result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
+-                                       0 /* unknown size */, sockindex);
++        result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
++                                       0, sockindex);
+         if(result) {
+           Curl_ssl_sessionid_unlock(data);
+           failf(data, "failed to store ssl session");
-- 
2.31.1





^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.
  2021-04-02 14:09 ` bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890 Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 14:09   ` bug#47563: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 18:22   ` Leo Famulari
  2021-04-02 18:43     ` Léo Le Bouter via Bug reports for GNU Guix
  1 sibling, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2021-04-02 18:22 UTC (permalink / raw)
  To: 47563

On Fri, Apr 02, 2021 at 04:09:39PM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch
> does not apply and please I need help rebasing it, it looks quite complex.
> 
> I pushed an upgrade of curl to 7.76.0 which has been much much easier to
> core-updates already as
> https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf
> but unfortunately since curl requires so many rebuilds it seems we can't use
> such commit on master for now.

Can we try grafting an "upgrade" to 7.76.0? In my experience, most curl
upgrades are graftable.

Curl's developers are very careful with their ABI and even maintain
their own page on the subject: <https://curl.se/libcurl/abi.html>




^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.
  2021-04-02 18:22   ` bug#47563: [PATCH 0/1] " Leo Famulari
@ 2021-04-02 18:43     ` Léo Le Bouter via Bug reports for GNU Guix
  0 siblings, 0 replies; 10+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-02 18:43 UTC (permalink / raw)
  To: leo, 47563

[-- Attachment #1: Type: text/plain, Size: 438 bytes --]

On Fri, 2021-04-02 at 14:22 -0400, Leo Famulari wrote:
> 
> Can we try grafting an "upgrade" to 7.76.0? In my experience, most
> curl
> upgrades are graftable.
> 
> Curl's developers are very careful with their ABI and even maintain
> their own page on the subject: <https://curl.se/libcurl/abi.html>

If you think that's OK, let's do it!

I see indeed from that page there should be no problem.

Will send a patch shortly.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH] gnu: curl: Update to 7.76.0 [security fixes].
  2021-04-02 14:04 bug#47563: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876 Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 14:09 ` bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890 Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 19:24 ` Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 19:33 ` bug#47563: [PATCH v2] " Léo Le Bouter via Bug reports for GNU Guix
  2 siblings, 0 replies; 10+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-02 19:24 UTC (permalink / raw)
  To: 47563; +Cc: Léo Le Bouter

Fixes CVE-2021-22876 and CVE-2021-22890.

* gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/curl.scm (curl/fixed): New variable. Apply patch.
(curl)[replacement]: Graft.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/curl.scm                         | 14 ++++
 .../patches/curl-7.76-use-ssl-cert-env.patch  | 64 +++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 1a767a6c89..0d472072ae 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -920,6 +920,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
+  %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch	\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-CVE-2017-12836.patch		\
   %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 730676875c..5608d556e7 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -62,6 +62,7 @@
               (base32
                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
              (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+   (replacement curl/fixed)
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -151,6 +152,19 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
+(define-public curl/fixed
+  (package
+    (inherit curl)
+    (version "7.76.0")
+    (source
+     (origin
+       (inherit (package-source curl))
+       (uri (string-append "https://curl.haxx.se/download/curl-"
+                           version ".tar.xz"))
+       (sha256
+        (base32
+         "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3"))))))
+
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..24be6e31d9
--- /dev/null
+++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
-- 
2.31.1





^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes].
  2021-04-02 14:04 bug#47563: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876 Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 14:09 ` bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890 Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 19:24 ` bug#47563: [PATCH] gnu: curl: Update to 7.76.0 [security fixes] Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 19:33 ` Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 19:34   ` Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 20:46   ` Leo Famulari
  2 siblings, 2 replies; 10+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-02 19:33 UTC (permalink / raw)
  To: 47563; +Cc: Léo Le Bouter

Fixes CVE-2021-22876 and CVE-2021-22890.

* gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/curl.scm (curl/fixed): New variable. Apply patch.
(curl)[replacement]: Graft.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/curl.scm                         | 15 +++++
 .../patches/curl-7.76-use-ssl-cert-env.patch  | 64 +++++++++++++++++++
 3 files changed, 80 insertions(+)
 create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 1a767a6c89..0d472072ae 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -920,6 +920,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
+  %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch	\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-CVE-2017-12836.patch		\
   %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 730676875c..94dc51cfc5 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -62,6 +62,7 @@
               (base32
                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
              (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+   (replacement curl/fixed)
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -151,6 +152,20 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
+(define-public curl/fixed
+  (package
+    (inherit curl)
+    (version "7.76.0")
+    (source
+     (origin
+       (inherit (package-source curl))
+       (uri (string-append "https://curl.haxx.se/download/curl-"
+                           version ".tar.xz"))
+       (patches (search-patches "curl-7.76-use-ssl-cert-env.patch"))
+       (sha256
+        (base32
+         "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3"))))))
+
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..24be6e31d9
--- /dev/null
+++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
-- 
2.31.1





^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes].
  2021-04-02 19:33 ` bug#47563: [PATCH v2] " Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 19:34   ` Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 20:36     ` Leo Famulari
  2021-04-02 20:46   ` Leo Famulari
  1 sibling, 1 reply; 10+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-02 19:34 UTC (permalink / raw)
  To: 47563

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

To me, that last patch is ready to merge.

Please push if you feel that's OK too, don't wait for me!

Thanks!

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes].
  2021-04-02 19:34   ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 20:36     ` Leo Famulari
  0 siblings, 0 replies; 10+ messages in thread
From: Leo Famulari @ 2021-04-02 20:36 UTC (permalink / raw)
  To: 47563

[-- Attachment #1: Type: text/plain, Size: 230 bytes --]

On Fri, Apr 02, 2021 at 09:34:31PM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> To me, that last patch is ready to merge.
> 
> Please push if you feel that's OK too, don't wait for me!

Building now to test...

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#47563: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes].
  2021-04-02 19:33 ` bug#47563: [PATCH v2] " Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 19:34   ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 20:46   ` Leo Famulari
  1 sibling, 0 replies; 10+ messages in thread
From: Leo Famulari @ 2021-04-02 20:46 UTC (permalink / raw)
  To: 47563; +Cc: 47563-done

[-- Attachment #1: Type: text/plain, Size: 496 bytes --]

On Fri, Apr 02, 2021 at 09:33:02PM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> Fixes CVE-2021-22876 and CVE-2021-22890.
> 
> * gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/curl.scm (curl/fixed): New variable. Apply patch.
> (curl)[replacement]: Graft.

I tweaked the commit message — committer's preference ;) — and pushed
as f4dc8ac6dfa036d98aa0990ae22268a9650899d0.

Thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2021-04-02 20:47 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-02 14:04 bug#47563: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876 Léo Le Bouter via Bug reports for GNU Guix
2021-04-02 14:09 ` bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890 Léo Le Bouter via Bug reports for GNU Guix
2021-04-02 14:09   ` bug#47563: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
2021-04-02 18:22   ` bug#47563: [PATCH 0/1] " Leo Famulari
2021-04-02 18:43     ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-02 19:24 ` bug#47563: [PATCH] gnu: curl: Update to 7.76.0 [security fixes] Léo Le Bouter via Bug reports for GNU Guix
2021-04-02 19:33 ` bug#47563: [PATCH v2] " Léo Le Bouter via Bug reports for GNU Guix
2021-04-02 19:34   ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-02 20:36     ` Leo Famulari
2021-04-02 20:46   ` Leo Famulari

unofficial mirror of bug-guix@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-bugs/0 guix-bugs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-bugs guix-bugs/ https://yhetil.org/guix-bugs \
		bug-guix@gnu.org
	public-inbox-index guix-bugs

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.bugs
	nntp://news.gmane.io/gmane.comp.gnu.guix.bugs


AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git