From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52029) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dfYxS-0003DW-Kr for guix-patches@gnu.org; Wed, 09 Aug 2017 17:56:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dfYxO-0006zA-N9 for guix-patches@gnu.org; Wed, 09 Aug 2017 17:56:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:45081) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dfYxO-0006yZ-Fw for guix-patches@gnu.org; Wed, 09 Aug 2017 17:56:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dfYxO-00068I-0f for guix-patches@gnu.org; Wed, 09 Aug 2017 17:56:02 -0400 Subject: [bug#28027] curl security update [was Re: bug#28027: gnURL 7.55.0] Resent-Message-ID: From: Marius Bakke In-Reply-To: <20170809192008.GA31762@jasmine.lan> References: <20170809160025.2w2theyhhrba4zsd@abyayala> <9e3ce4e5-de13-1fbb-5a6f-71d38fa218ce@tobias.gr> <20170809174842.GA24193@jasmine.lan> <20170809185007.GA1177@jasmine.lan> <20170809192008.GA31762@jasmine.lan> Date: Wed, 09 Aug 2017 23:55:32 +0200 Message-ID: <871sok4d9n.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari , 28027@debbugs.gnu.org, me@tobias.gr, ng0@infotropique.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote: >> On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote: >> > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote: >> > > ng0 wrote on 09/08/17 at 18:00: >> > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 = 2001 >> > > > From: ng0 >> > > > Date: Wed, 9 Aug 2017 15:58:43 +0000 >> > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0. >> > > >=20 >> > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0. >> > >=20 >> > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0. >> >=20 >> > Great! Can somebody also update the curl replacement? >>=20 >> Actually, I'll do it :) > > With the attached patch, it fails to build, because the man 3 pages > aren't built and thus can't be copied into the doc output. I'm not sure > what's going on :/ It seems our worked collided again. :-) I 'ported' the earlier patch to master and will push it shortly if there are no objections: --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-curl-Replace-with-7.55.0-security-fixes.patch Content-Transfer-Encoding: quoted-printable From=206f9bbbafd4cc857c2b093f3cced6df2e45f56aab Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 9 Aug 2017 21:04:04 +0200 Subject: [PATCH] gnu: curl: Replace with 7.55.0 [security fixes]. Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101. See for details. * gnu/packages/curl.scm (curl)[replacement]: New field. (curl-7.55.0): New variable. =2D-- gnu/packages/curl.scm | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index a9f219b62..d6e32e438 100644 =2D-- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -4,6 +4,7 @@ ;;; Copyright =C2=A9 2015 Tom=C3=A1=C5=A1 =C4=8Cech ;;; Copyright =C2=A9 2015 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2016, 2017 Leo Famulari +;;; Copyright =C2=A9 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +25,7 @@ #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix utils) #:use-module (guix build-system gnu) #:use-module (gnu packages) #:use-module (gnu packages compression) @@ -40,7 +42,7 @@ (define-public curl (package (name "curl") =2D (replacement curl-7.54.1) + (replacement curl-7.55.0) (version "7.53.0") (source (origin (method url-fetch) @@ -121,15 +123,27 @@ tunneling, and so on.") "See COPYING in the distribution.")) (home-page "https://curl.haxx.se/"))) =20 =2D(define curl-7.54.1 +(define-public curl-7.55.0 (package (inherit curl) =2D (version "7.54.1") + (version "7.55.0") (source (origin (method url-fetch) (uri (string-append "https://curl.haxx.se/download/curl-" =2D version ".tar.lzma")) + version ".tar.xz")) (sha256 (base32 =2D "0vnv3cz0s1l5cjby86hm0x6pgzqijmdm97qa9q5px200956z6yib")))))) + "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd")))) + (arguments + `(,@(substitute-keyword-arguments (package-arguments curl) + ((#:phases phases) + `(modify-phases ,phases + (add-before 'install 'fix-Makefile + ;; Fix a regression in 7.55.0 where docs are not installe= d. + ;; https://github.com/curl/curl/commit/a7bbbb7c368c609680= 2007f61f19a02e9d75285b + (lambda _ + (substitute* "Makefile" + (("install-data-hook:\n") + "install-data-hook:\n\tcd docs/libcurl && $(MAKE) in= stall\n")) + #t))))))))) =2D-=20 2.14.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmLhNQACgkQoqBt8qM6 VPp33Af9Ghlt9iJ4VRewUlx+niChr3cu9vme3VYB0ctUZONLtm+VOxtMgge2d7zZ 1qQcphoNHcBbWrXD6VTo9ljmJ5b3f6mNRFfYjLyzY7YcXyIYYAfXjJbRh5gpB8Jn X2fWDwnAwiXWfbV47uNm4yJFUXn8dDNFSMtJzIkdIJZfD9XQY3wBLnbVIzQENjEJ iAu1aGplDwbxVKljrzLyp2dFxicG7OYJvNrD55Ox1Yd8fBmQHhoMbncrEhcW1YqY i9rV5VwAPN0OPfU9LYZU6MZ9scc9WDJdUy2/3gksclaStB1f/bQ+nODHivGxz+aC Ax8lHvFFGbcWBDQV6ihlnJqE/uhlJw== =74dL -----END PGP SIGNATURE----- --==-=-=--