* [PATCH 0/1] curl: Fix CVE-2016-3739. @ 2016-06-12 3:38 Leo Famulari 2016-06-12 3:38 ` [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739] Leo Famulari 2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès 0 siblings, 2 replies; 10+ messages in thread From: Leo Famulari @ 2016-06-12 3:38 UTC (permalink / raw) To: guix-devel If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a bug in curl [CVE-2016-3739] that allows an attacker to bypass the full certificate check by presenting any valid certificate. So, you might think are connecting to https://example.com, when in fact the attacker has a certificate for any other domain. We don't package mbedTLS, but I still think we should provide the fixed source code. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739 https://curl.haxx.se/docs/adv_20160518.html Leo Famulari (1): gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739]. gnu/packages/curl.scm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.8.4 ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739]. 2016-06-12 3:38 [PATCH 0/1] curl: Fix CVE-2016-3739 Leo Famulari @ 2016-06-12 3:38 ` Leo Famulari 2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès 1 sibling, 0 replies; 10+ messages in thread From: Leo Famulari @ 2016-06-12 3:38 UTC (permalink / raw) To: guix-devel * gnu/packages/curl.scm (curl)[replacement]: New field. (curl/fixed): New variable. --- gnu/packages/curl.scm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 222910b..925602e 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -40,6 +40,7 @@ (define-public curl (package (name "curl") + (replacement curl/fixed) (version "7.47.0") (source (origin (method url-fetch) @@ -123,3 +124,17 @@ tunneling, and so on.") (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")) (home-page "http://curl.haxx.se/"))) + +(define curl/fixed + (package + (inherit curl) + (source + (let ((name "curl") + (version "7.49.1")) + (origin + (method url-fetch) + (uri (string-append "https://curl.haxx.se/download/curl-" + version ".tar.lzma")) + (sha256 + (base32 + "033w3wyawali0rc5s15ywxpjnf476671m595r49sr4vj07idf3al"))))))) -- 2.8.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739. 2016-06-12 3:38 [PATCH 0/1] curl: Fix CVE-2016-3739 Leo Famulari 2016-06-12 3:38 ` [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739] Leo Famulari @ 2016-06-12 20:51 ` Ludovic Courtès 2016-06-12 21:02 ` ng0 1 sibling, 1 reply; 10+ messages in thread From: Ludovic Courtès @ 2016-06-12 20:51 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full > certificate check by presenting any valid certificate. > > So, you might think are connecting to https://example.com, when in fact > the attacker has a certificate for any other domain. > > We don't package mbedTLS, but I still think we should provide the fixed > source code. OTOH this will incur additional grafting for no reason, WDYT? Thanks, Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739. 2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès @ 2016-06-12 21:02 ` ng0 2016-06-13 1:12 ` Leo Famulari 0 siblings, 1 reply; 10+ messages in thread From: ng0 @ 2016-06-12 21:02 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 925 bytes --] On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full > > certificate check by presenting any valid certificate. > > > > So, you might think are connecting to https://example.com, when in fact > > the attacker has a certificate for any other domain. > > > > We don't package mbedTLS, but I still think we should provide the fixed > > source code. > > OTOH this will incur additional grafting for no reason, WDYT? > > Thanks, > Ludo’. > fyi, mbedtls is on my list of packages to do, as the webserver hiawatha depends on it. Should I announce once it is packaged and the cve fix can be applied afterwards? -- ♥Ⓐ ng0 For non-prism friendly talk find me on psyced.org / loupsycedyglgamf.onion [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739. 2016-06-12 21:02 ` ng0 @ 2016-06-13 1:12 ` Leo Famulari 2016-06-13 15:07 ` Ludovic Courtès 0 siblings, 1 reply; 10+ messages in thread From: Leo Famulari @ 2016-06-13 1:12 UTC (permalink / raw) To: guix-devel On Sun, Jun 12, 2016 at 09:02:32PM +0000, ng0 wrote: > On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: > > Leo Famulari <leo@famulari.name> skribis: > > > > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a > > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full > > > certificate check by presenting any valid certificate. > > > > > > So, you might think are connecting to https://example.com, when in fact > > > the attacker has a certificate for any other domain. > > > > > > We don't package mbedTLS, but I still think we should provide the fixed > > > source code. > > > > OTOH this will incur additional grafting for no reason, WDYT? No reason for things built within our distribution, true. > fyi, > > mbedtls is on my list of packages to do, as the webserver hiawatha > depends on it. > > Should I announce once it is packaged and the cve fix can be applied > afterwards? We should definitely update curl on core-updates-next, or whatever is built after the current cycle, and we should not add hiawatha until the fixed curl is in our tree. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739. 2016-06-13 1:12 ` Leo Famulari @ 2016-06-13 15:07 ` Ludovic Courtès 2016-06-13 15:42 ` ng0 2016-06-13 16:05 ` Leo Famulari 0 siblings, 2 replies; 10+ messages in thread From: Ludovic Courtès @ 2016-06-13 15:07 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > On Sun, Jun 12, 2016 at 09:02:32PM +0000, ng0 wrote: >> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: >> > Leo Famulari <leo@famulari.name> skribis: >> > >> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a >> > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full >> > > certificate check by presenting any valid certificate. >> > > >> > > So, you might think are connecting to https://example.com, when in fact >> > > the attacker has a certificate for any other domain. >> > > >> > > We don't package mbedTLS, but I still think we should provide the fixed >> > > source code. >> > >> > OTOH this will incur additional grafting for no reason, WDYT? > > No reason for things built within our distribution, true. Right. >> fyi, >> >> mbedtls is on my list of packages to do, as the webserver hiawatha >> depends on it. >> >> Should I announce once it is packaged and the cve fix can be applied >> afterwards? > > We should definitely update curl on core-updates-next, or whatever is > built after the current cycle, and we should not add hiawatha until the > fixed curl is in our tree. Agreed on both points. Can you already push the curl update in core-updates-next? Though I would like the default curl package to still used GnuTLS. So I think curl-with-mbedtls will be a different package anyway. Thanks, Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739. 2016-06-13 15:07 ` Ludovic Courtès @ 2016-06-13 15:42 ` ng0 2016-06-13 16:14 ` Leo Famulari 2016-06-13 16:05 ` Leo Famulari 1 sibling, 1 reply; 10+ messages in thread From: ng0 @ 2016-06-13 15:42 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 2087 bytes --] On 2016-06-13(05:07:23+0200), Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > > On Sun, Jun 12, 2016 at 09:02:32PM +0000, ng0 wrote: > >> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: > >> > Leo Famulari <leo@famulari.name> skribis: > >> > > >> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a > >> > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full > >> > > certificate check by presenting any valid certificate. > >> > > > >> > > So, you might think are connecting to https://example.com, when in fact > >> > > the attacker has a certificate for any other domain. > >> > > > >> > > We don't package mbedTLS, but I still think we should provide the fixed > >> > > source code. > >> > > >> > OTOH this will incur additional grafting for no reason, WDYT? > > > > No reason for things built within our distribution, true. > > Right. > > >> fyi, > >> > >> mbedtls is on my list of packages to do, as the webserver hiawatha > >> depends on it. > >> > >> Should I announce once it is packaged and the cve fix can be applied > >> afterwards? > > > > We should definitely update curl on core-updates-next, or whatever is > > built after the current cycle, and we should not add hiawatha until the > > fixed curl is in our tree. > > Agreed on both points. Can you already push the curl update in > core-updates-next? > > Though I would like the default curl package to still used GnuTLS. So I > think curl-with-mbedtls will be a different package anyway. > > Thanks, > Ludo’. > From the way it was done in Gentoo, I assume this is not needed? mbedtls is a separate package, and I have libressl as the curlssl provider, which is a curl built against libressl. If I am wrong, correct me. My initial comment was a bit out of place, but I just assume it will justwork™ on guix, otherwise a curl-with-mbedtls would have to be created. Sorry for the confusion. -- ♥Ⓐ ng0 For non-prism friendly talk find me on psyced.org / loupsycedyglgamf.onion [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739. 2016-06-13 15:42 ` ng0 @ 2016-06-13 16:14 ` Leo Famulari 2016-06-13 18:56 ` ng0 0 siblings, 1 reply; 10+ messages in thread From: Leo Famulari @ 2016-06-13 16:14 UTC (permalink / raw) To: guix-devel On Mon, Jun 13, 2016 at 03:42:47PM +0000, ng0 wrote: > From the way it was done in Gentoo, I assume this is not needed? > mbedtls is a separate package, and I have libressl as the curlssl provider, > which is a curl built against libressl. > > If I am wrong, correct me. > My initial comment was a bit out of place, but I just assume it will > justwork™ on guix, otherwise a curl-with-mbedtls would have to be > created. > > Sorry for the confusion. I think the confusion was mine. Unless Hiawatha requires a curl linked against mbedTLS, I don't think there will be any problem with CVE-2016-3739 and Hiawatha. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739. 2016-06-13 16:14 ` Leo Famulari @ 2016-06-13 18:56 ` ng0 0 siblings, 0 replies; 10+ messages in thread From: ng0 @ 2016-06-13 18:56 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 1841 bytes --] On 2016-06-13(12:14:14-0400), Leo Famulari wrote: > On Mon, Jun 13, 2016 at 03:42:47PM +0000, ng0 wrote: > > From the way it was done in Gentoo, I assume this is not needed? > > mbedtls is a separate package, and I have libressl as the curlssl provider, > > which is a curl built against libressl. > > > > If I am wrong, correct me. > > My initial comment was a bit out of place, but I just assume it will > > justwork™ on guix, otherwise a curl-with-mbedtls would have to be > > created. > > > > Sorry for the confusion. > > I think the confusion was mine. Unless Hiawatha requires a curl linked > against mbedTLS, I don't think there will be any problem with > CVE-2016-3739 and Hiawatha. > I think it will work out alright. The test- and applied systems I had were hardened gcc with libressl globally, amd64, and a hardened musl system with openssl, amd64, in case of the musl it is curl built against openssl, the gcc with curl libressl. ng0@khazad-dum:~$ equery g hiawatha * Searching for hiawatha ... -- snip -- * dependency graph for www-servers/hiawatha-10.3-r99 `-- www-servers/hiawatha-10.3-r99 [~amd64 keyword] `-- sys-libs/zlib-1.2.8-r1 (sys-libs/zlib) amd64 `-- net-libs/mbedtls-2.2.1 (>=net-libs/mbedtls-2.0) amd64 [threads] `-- dev-libs/libxslt-1.1.29 (dev-libs/libxslt) amd64 `-- dev-libs/libxml2-2.9.4 (dev-libs/libxml2) amd64 `-- sys-devel/make-4.1-r1 (sys-devel/make) amd64 `-- dev-util/cmake-3.3.1-r1 (>=dev-util/cmake-2.8.2) amd64 `-- virtual/pkgconfig-0-r1 (virtual/pkgconfig) amd64 `-- www-apps/hiawatha-monitor-1.3 (www-apps/hiawatha-monitor) [~amd64 keyword] [ www-servers/hiawatha-10.3-r99 stats: packages (9), max depth (1) ] -- ♥Ⓐ ng0 For non-prism friendly talk find me on psyced.org / loupsycedyglgamf.onion [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739. 2016-06-13 15:07 ` Ludovic Courtès 2016-06-13 15:42 ` ng0 @ 2016-06-13 16:05 ` Leo Famulari 1 sibling, 0 replies; 10+ messages in thread From: Leo Famulari @ 2016-06-13 16:05 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Mon, Jun 13, 2016 at 05:07:23PM +0200, Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > We should definitely update curl on core-updates-next, or whatever is > > built after the current cycle, and we should not add hiawatha until the > > fixed curl is in our tree. > > Agreed on both points. Can you already push the curl update in > core-updates-next? Done as 32a8eb01e > Though I would like the default curl package to still used GnuTLS. So I > think curl-with-mbedtls will be a different package anyway. I hadn't noticed that our curl package uses GnuTLS instead of OpenSSL :) ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-06-13 18:56 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-06-12 3:38 [PATCH 0/1] curl: Fix CVE-2016-3739 Leo Famulari 2016-06-12 3:38 ` [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739] Leo Famulari 2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès 2016-06-12 21:02 ` ng0 2016-06-13 1:12 ` Leo Famulari 2016-06-13 15:07 ` Ludovic Courtès 2016-06-13 15:42 ` ng0 2016-06-13 16:14 ` Leo Famulari 2016-06-13 18:56 ` ng0 2016-06-13 16:05 ` Leo Famulari
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).