* [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes]. @ 2024-09-19 15:17 Ashish SHUKLA via Guix-patches via 2024-09-27 18:52 ` John Kehayias via Guix-patches via 0 siblings, 1 reply; 4+ messages in thread From: Ashish SHUKLA via Guix-patches via @ 2024-09-19 15:17 UTC (permalink / raw) To: 73361; +Cc: Ashish SHUKLA * gnu/packages/curl.scm (curl): Update to 8.10.1. * gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1. Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8 --- gnu/packages/curl.scm | 5 ++- .../patches/curl-use-ssl-cert-env.patch | 41 +++++++++---------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 9f74018205..7ab886f195 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -16,6 +16,7 @@ ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com> ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se> ;;; ;;; This file is part of GNU Guix. ;;; @@ -66,14 +67,14 @@ (define-module (gnu packages curl) (define-public curl (package (name "curl") - (version "8.6.0") + (version "8.10.1") (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-" version ".tar.xz")) (sha256 (base32 - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w")) + "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k")) (patches (search-patches "curl-use-ssl-cert-env.patch")))) (outputs '("out" "doc")) ;1.2 MiB of man3 pages diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch index c39c1f7e98..2a57f0f8be 100644 --- a/gnu/packages/patches/curl-use-ssl-cert-env.patch +++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch @@ -37,28 +37,27 @@ for other future workarounds. #ifdef _WIN32 Curl_win32_cleanup(easy_init_flags); #endif -diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c ---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100 -+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100 -@@ -524,6 +524,21 @@ - if(result) - return result; +--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000 ++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000 +@@ -455,6 +455,21 @@ + #endif #endif -+ extern char * Curl_ssl_cert_dir; -+ extern char * Curl_ssl_cert_file; -+ if(Curl_ssl_cert_dir) { -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) -+ return result; -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) -+ return result; -+ } -+ -+ if(Curl_ssl_cert_file) { -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) -+ return result; -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) -+ return result; -+ } } ++ extern char * Curl_ssl_cert_dir; ++ extern char * Curl_ssl_cert_file; ++ if(Curl_ssl_cert_dir) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) ++ return result; ++ } ++ ++ if(Curl_ssl_cert_file) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) ++ return result; ++ } + #ifndef CURL_DISABLE_FTP set->wildcard_enabled = FALSE; base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9 -- 2.46.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes]. 2024-09-19 15:17 [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes] Ashish SHUKLA via Guix-patches via @ 2024-09-27 18:52 ` John Kehayias via Guix-patches via 2024-09-28 1:24 ` Ashish SHUKLA via Guix-patches via 0 siblings, 1 reply; 4+ messages in thread From: John Kehayias via Guix-patches via @ 2024-09-27 18:52 UTC (permalink / raw) To: Ashish SHUKLA; +Cc: 73361 Hello, On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote: > * gnu/packages/curl.scm (curl): Update to 8.10.1. > As curl causes a rebuild of just about everything, this will need to done as a graft on master. (And ungrafted with a world rebuild on a branch.) Would you like to take a stab at that? Also, please note what the security fixes are (CVE numbers). Thanks for the patch so far! John > * gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1. > > Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8 > --- > gnu/packages/curl.scm | 5 ++- > .../patches/curl-use-ssl-cert-env.patch | 41 +++++++++---------- > 2 files changed, 23 insertions(+), 23 deletions(-) > > diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm > index 9f74018205..7ab886f195 100644 > --- a/gnu/packages/curl.scm > +++ b/gnu/packages/curl.scm > @@ -16,6 +16,7 @@ > ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net> > ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com> > ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com> > +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se> > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -66,14 +67,14 @@ (define-module (gnu packages curl) > (define-public curl > (package > (name "curl") > - (version "8.6.0") > + (version "8.10.1") > (source (origin > (method url-fetch) > (uri (string-append "https://curl.se/download/curl-" > version ".tar.xz")) > (sha256 > (base32 > - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w")) > + "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k")) > (patches (search-patches "curl-use-ssl-cert-env.patch")))) > (outputs '("out" > "doc")) ;1.2 MiB of man3 pages > diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch > index c39c1f7e98..2a57f0f8be 100644 > --- a/gnu/packages/patches/curl-use-ssl-cert-env.patch > +++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch > @@ -37,28 +37,27 @@ for other future workarounds. > #ifdef _WIN32 > Curl_win32_cleanup(easy_init_flags); > #endif > -diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c > ---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100 > -+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100 > -@@ -524,6 +524,21 @@ > - if(result) > - return result; > +--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000 > ++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000 > +@@ -455,6 +455,21 @@ > + #endif > #endif > -+ extern char * Curl_ssl_cert_dir; > -+ extern char * Curl_ssl_cert_file; > -+ if(Curl_ssl_cert_dir) { > -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) > -+ return result; > -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) > -+ return result; > -+ } > -+ > -+ if(Curl_ssl_cert_file) { > -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) > -+ return result; > -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) > -+ return result; > -+ } > } > ++ extern char * Curl_ssl_cert_dir; > ++ extern char * Curl_ssl_cert_file; > ++ if(Curl_ssl_cert_dir) { > ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) > ++ return result; > ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) > ++ return result; > ++ } > ++ > ++ if(Curl_ssl_cert_file) { > ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) > ++ return result; > ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) > ++ return result; > ++ } > > + #ifndef CURL_DISABLE_FTP > set->wildcard_enabled = FALSE; > > base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes]. 2024-09-27 18:52 ` John Kehayias via Guix-patches via @ 2024-09-28 1:24 ` Ashish SHUKLA via Guix-patches via 2024-11-12 12:07 ` bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability Maxim Cournoyer 0 siblings, 1 reply; 4+ messages in thread From: Ashish SHUKLA via Guix-patches via @ 2024-09-28 1:24 UTC (permalink / raw) To: John Kehayias; +Cc: 73361 [-- Attachment #1.1.1: Type: text/plain, Size: 972 bytes --] On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote: > Hello, > > On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote: > > > * gnu/packages/curl.scm (curl): Update to 8.10.1. > > > > As curl causes a rebuild of just about everything, this will need to > done as a graft on master. (And ungrafted with a world rebuild on a > branch.) Would you like to take a stab at that? Prepared a new revision (attached) to add a new package 'curl/fixed' with just the fix from upstream applied[0][1]. As for the actual update to 8.10.1, I can send a patch (either in this thread, or in separate issue report). Please let me know if something is amiss with my patch. References: [0] https://curl.se/docs/CVE-2024-8096.html [1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba Thanks! -- Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 "If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin) [-- Attachment #1.2: v2-0001-gnu-curl-Fix-security-vulnerability.patch --] [-- Type: text/plain, Size: 9799 bytes --] From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001 Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is@lostca.se> From: Ashish SHUKLA <ashish.is@lostca.se> Date: Sat, 28 Sep 2024 01:40:45 +0200 Subject: [PATCH v2] gnu: curl: Fix security vulnerability. Fixes CVE-2024-8096. * gnu/packages/curl.scm (curl)[replacement]: New field. (curl/fixed): New variable. * gnu/packages/patches/curl-CVE-2024-8096.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738 --- gnu/local.mk | 1 + gnu/packages/curl.scm | 11 + gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++ 3 files changed, 212 insertions(+) create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9fdad12b63..a2215ad4c2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1114,6 +1114,7 @@ dist_patch_DATA = \ %D%/packages/patches/crda-optional-gcrypt.patch \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ + %D%/packages/patches/curl-CVE-2024-8096.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \ %D%/packages/patches/curlftpfs-fix-file-names.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 9f74018205..bbb266e236 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -16,6 +16,7 @@ ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com> ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se> ;;; ;;; This file is part of GNU Guix. ;;; @@ -67,6 +68,7 @@ (define-public curl (package (name "curl") (version "8.6.0") + (replacement curl/fixed) (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-" @@ -176,6 +178,15 @@ (define-public curl "See COPYING in the distribution.")) (home-page "https://curl.haxx.se/"))) +(define-public curl/fixed + (hidden-package + (package + (inherit curl) + (replacement curl/fixed) + (source (origin + (inherit (package-source curl)) + (patches (search-patches "curl-CVE-2024-8096.patch"))))))) + (define-public gnurl (deprecated-package "gnurl" curl)) (define-public curl-ssh diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch new file mode 100644 index 0000000000..0f780f08c3 --- /dev/null +++ b/gnu/packages/patches/curl-CVE-2024-8096.patch @@ -0,0 +1,200 @@ +From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 20 Aug 2024 16:14:39 +0200 +Subject: [PATCH] gtls: fix OCSP stapling management + +Reported-by: Hiroki Kurosawa +Closes #14642 +--- + lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------ + 1 file changed, 73 insertions(+), 73 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 03d6fcc038aac3..c7589d9d39bc81 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, + init_flags |= GNUTLS_NO_TICKETS; + #endif + ++#if defined(GNUTLS_NO_STATUS_REQUEST) ++ if(!config->verifystatus) ++ /* Disable the "status_request" TLS extension, enabled by default since ++ GnuTLS 3.8.0. */ ++ init_flags |= GNUTLS_NO_STATUS_REQUEST; ++#endif ++ + rc = gnutls_init(>ls->session, init_flags); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_init() failed: %d", rc); +@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + infof(data, " server certificate verification SKIPPED"); + + if(config->verifystatus) { +- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { +- gnutls_datum_t status_request; +- gnutls_ocsp_resp_t ocsp_resp; ++ gnutls_datum_t status_request; ++ gnutls_ocsp_resp_t ocsp_resp; ++ gnutls_ocsp_cert_status_t status; ++ gnutls_x509_crl_reason_t reason; + +- gnutls_ocsp_cert_status_t status; +- gnutls_x509_crl_reason_t reason; ++ rc = gnutls_ocsp_status_request_get(session, &status_request); + +- rc = gnutls_ocsp_status_request_get(session, &status_request); ++ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ++ failf(data, "No OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- infof(data, " server certificate status verification FAILED"); ++ if(rc < 0) { ++ failf(data, "Invalid OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { +- failf(data, "No OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ gnutls_ocsp_resp_init(&ocsp_resp); + +- if(rc < 0) { +- failf(data, "Invalid OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); ++ if(rc < 0) { ++ failf(data, "Invalid OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- gnutls_ocsp_resp_init(&ocsp_resp); ++ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, ++ &status, NULL, NULL, NULL, &reason); + +- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); +- if(rc < 0) { +- failf(data, "Invalid OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ switch(status) { ++ case GNUTLS_OCSP_CERT_GOOD: ++ break; + +- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, +- &status, NULL, NULL, NULL, &reason); ++ case GNUTLS_OCSP_CERT_REVOKED: { ++ const char *crl_reason; + +- switch(status) { +- case GNUTLS_OCSP_CERT_GOOD: ++ switch(reason) { ++ default: ++ case GNUTLS_X509_CRLREASON_UNSPECIFIED: ++ crl_reason = "unspecified reason"; + break; + +- case GNUTLS_OCSP_CERT_REVOKED: { +- const char *crl_reason; +- +- switch(reason) { +- default: +- case GNUTLS_X509_CRLREASON_UNSPECIFIED: +- crl_reason = "unspecified reason"; +- break; +- +- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: +- crl_reason = "private key compromised"; +- break; +- +- case GNUTLS_X509_CRLREASON_CACOMPROMISE: +- crl_reason = "CA compromised"; +- break; +- +- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: +- crl_reason = "affiliation has changed"; +- break; ++ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: ++ crl_reason = "private key compromised"; ++ break; + +- case GNUTLS_X509_CRLREASON_SUPERSEDED: +- crl_reason = "certificate superseded"; +- break; ++ case GNUTLS_X509_CRLREASON_CACOMPROMISE: ++ crl_reason = "CA compromised"; ++ break; + +- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: +- crl_reason = "operation has ceased"; +- break; ++ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: ++ crl_reason = "affiliation has changed"; ++ break; + +- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: +- crl_reason = "certificate is on hold"; +- break; ++ case GNUTLS_X509_CRLREASON_SUPERSEDED: ++ crl_reason = "certificate superseded"; ++ break; + +- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: +- crl_reason = "will be removed from delta CRL"; +- break; ++ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: ++ crl_reason = "operation has ceased"; ++ break; + +- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: +- crl_reason = "privilege withdrawn"; +- break; ++ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: ++ crl_reason = "certificate is on hold"; ++ break; + +- case GNUTLS_X509_CRLREASON_AACOMPROMISE: +- crl_reason = "AA compromised"; +- break; +- } ++ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: ++ crl_reason = "will be removed from delta CRL"; ++ break; + +- failf(data, "Server certificate was revoked: %s", crl_reason); ++ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: ++ crl_reason = "privilege withdrawn"; + break; +- } + +- default: +- case GNUTLS_OCSP_CERT_UNKNOWN: +- failf(data, "Server certificate status is unknown"); ++ case GNUTLS_X509_CRLREASON_AACOMPROMISE: ++ crl_reason = "AA compromised"; + break; + } + +- gnutls_ocsp_resp_deinit(ocsp_resp); ++ failf(data, "Server certificate was revoked: %s", crl_reason); ++ break; ++ } + +- return CURLE_SSL_INVALIDCERTSTATUS; ++ default: ++ case GNUTLS_OCSP_CERT_UNKNOWN: ++ failf(data, "Server certificate status is unknown"); ++ break; + } +- else +- infof(data, " server certificate status verification OK"); ++ ++ gnutls_ocsp_resp_deinit(ocsp_resp); ++ if(status != GNUTLS_OCSP_CERT_GOOD) ++ return CURLE_SSL_INVALIDCERTSTATUS; + } + else + infof(data, " server certificate status verification SKIPPED"); base-commit: 5e888ec915cfdd256e726959cdc23293bc36277e -- 2.46.1 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 992 bytes --] ^ permalink raw reply related [flat|nested] 4+ messages in thread
* bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability. 2024-09-28 1:24 ` Ashish SHUKLA via Guix-patches via @ 2024-11-12 12:07 ` Maxim Cournoyer 0 siblings, 0 replies; 4+ messages in thread From: Maxim Cournoyer @ 2024-11-12 12:07 UTC (permalink / raw) To: Ashish SHUKLA; +Cc: John Kehayias, 73361-done Hi, "Ashish SHUKLA" <ashish.is@lostca.se> writes: > On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote: >> Hello, >> >> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote: >> >> > * gnu/packages/curl.scm (curl): Update to 8.10.1. >> > >> >> As curl causes a rebuild of just about everything, this will need to >> done as a graft on master. (And ungrafted with a world rebuild on a >> branch.) Would you like to take a stab at that? > > Prepared a new revision (attached) to add a new package 'curl/fixed' > with just the fix from upstream applied[0][1]. > > As for the actual update to 8.10.1, I can send a patch (either in this > thread, or in separate issue report). > > Please let me know if something is amiss with my patch. > > References: > [0] https://curl.se/docs/CVE-2024-8096.html > [1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba > > Thanks! > -- > Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 > > "If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin) > > From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001 > Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is@lostca.se> > From: Ashish SHUKLA <ashish.is@lostca.se> > Date: Sat, 28 Sep 2024 01:40:45 +0200 > Subject: [PATCH v2] gnu: curl: Fix security vulnerability. > > Fixes CVE-2024-8096. > > * gnu/packages/curl.scm (curl)[replacement]: New field. > (curl/fixed): New variable. > * gnu/packages/patches/curl-CVE-2024-8096.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. > > Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738 > --- > gnu/local.mk | 1 + > gnu/packages/curl.scm | 11 + > gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++ > 3 files changed, 212 insertions(+) > create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 9fdad12b63..a2215ad4c2 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1114,6 +1114,7 @@ dist_patch_DATA = \ > %D%/packages/patches/crda-optional-gcrypt.patch \ > %D%/packages/patches/clucene-contribs-lib.patch \ > %D%/packages/patches/cube-nocheck.patch \ > + %D%/packages/patches/curl-CVE-2024-8096.patch \ > %D%/packages/patches/curl-use-ssl-cert-env.patch \ > %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \ > %D%/packages/patches/curlftpfs-fix-file-names.patch \ > diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm > index 9f74018205..bbb266e236 100644 > --- a/gnu/packages/curl.scm > +++ b/gnu/packages/curl.scm > @@ -16,6 +16,7 @@ > ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net> > ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com> > ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com> > +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se> > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -67,6 +68,7 @@ (define-public curl > (package > (name "curl") > (version "8.6.0") > + (replacement curl/fixed) > (source (origin > (method url-fetch) > (uri (string-append "https://curl.se/download/curl-" > @@ -176,6 +178,15 @@ (define-public curl > "See COPYING in the distribution.")) > (home-page "https://curl.haxx.se/"))) > > +(define-public curl/fixed > + (hidden-package > + (package > + (inherit curl) > + (replacement curl/fixed) > + (source (origin > + (inherit (package-source curl)) > + (patches (search-patches "curl-CVE-2024-8096.patch"))))))) > + I've applied it already, but noticed after that this doesn't add the curl patch 'curl-use-ssl-cert-env.patch'; which I've now fixed in commit b10ce47d8b. Closing! -- Thanks, Maxim ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-11-12 12:09 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-09-19 15:17 [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes] Ashish SHUKLA via Guix-patches via 2024-09-27 18:52 ` John Kehayias via Guix-patches via 2024-09-28 1:24 ` Ashish SHUKLA via Guix-patches via 2024-11-12 12:07 ` bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability Maxim Cournoyer
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).