From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46491) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dfXVR-0004AO-Mm for guix-patches@gnu.org; Wed, 09 Aug 2017 16:23:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dfXVO-0007xD-GZ for guix-patches@gnu.org; Wed, 09 Aug 2017 16:23:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:45020) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dfXVO-0007x3-5a for guix-patches@gnu.org; Wed, 09 Aug 2017 16:23:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dfXVN-0003tI-Q3 for guix-patches@gnu.org; Wed, 09 Aug 2017 16:23:01 -0400 Subject: [bug#28027] curl security update [was Re: bug#28027: gnURL 7.55.0] Resent-Message-ID: From: Marius Bakke In-Reply-To: <20170809200523.i5k5p23ebdcxvouc@abyayala> References: <20170809160025.2w2theyhhrba4zsd@abyayala> <9e3ce4e5-de13-1fbb-5a6f-71d38fa218ce@tobias.gr> <20170809174842.GA24193@jasmine.lan> <20170809185007.GA1177@jasmine.lan> <20170809192008.GA31762@jasmine.lan> <20170809200523.i5k5p23ebdcxvouc@abyayala> Date: Wed, 09 Aug 2017 22:22:42 +0200 Message-ID: <87inhw4hkd.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: ng0 , Leo Famulari Cc: 28031-done@debbugs.gnu.org, 28027@debbugs.gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable ng0 writes: > Leo Famulari transcribed 3.7K bytes: >> On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote: >> > On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote: >> > > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrot= e: >> > > > ng0 wrote on 09/08/17 at 18:00: >> > > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:0= 0 2001 >> > > > > From: ng0 >> > > > > Date: Wed, 9 Aug 2017 15:58:43 +0000 >> > > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0. >> > > > >=20 >> > > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0. >> > > >=20 >> > > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0. >> > >=20 >> > > Great! Can somebody also update the curl replacement? >> >=20 >> > Actually, I'll do it :) >>=20 >> With the attached patch, it fails to build, because the man 3 pages >> aren't built and thus can't be copied into the doc output. I'm not sure >> what's going on :/ > > As written on IRC: Take a look at the 2 commits after tagged 7.55.0, > if you apply both you will have a successful build. I did this manually > (by hand, not taking the commits) for gnURL release. Here is a patch that fixes the doc installation: --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0001-gnu-curl-Replace-with-7.55.0-security-fixes.patch Content-Transfer-Encoding: quoted-printable From=20f93502a48b368c74ba4ed1ff573f07f59b8c91f1 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 9 Aug 2017 21:04:04 +0200 Subject: [PATCH] gnu: curl: Replace with 7.55.0 [security fixes]. Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101. See for details. * gnu/packages/curl.scm (curl)[replacement]: New field. (curl-7.55.0): New variable. =2D-- gnu/packages/curl.scm | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index af15aa38c..0c551e108 100644 =2D-- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -4,6 +4,7 @@ ;;; Copyright =C2=A9 2015 Tom=C3=A1=C5=A1 =C4=8Cech ;;; Copyright =C2=A9 2015 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2016, 2017 Leo Famulari +;;; Copyright =C2=A9 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +25,7 @@ #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix utils) #:use-module (guix build-system gnu) #:use-module (gnu packages) #:use-module (gnu packages compression) @@ -40,6 +42,7 @@ (define-public curl (package (name "curl") + (replacement curl-7.55.0) (version "7.54.1") (source (origin (method url-fetch) @@ -119,3 +122,27 @@ tunneling, and so on.") (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")) (home-page "https://curl.haxx.se/"))) + +(define-public curl-7.55.0 + (package + (inherit curl) + (version "7.55.0") + (source (origin + (method url-fetch) + (uri (string-append "https://curl.haxx.se/download/curl-" + version ".tar.xz")) + (sha256 + (base32 + "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd")))) + (arguments + `(,@(substitute-keyword-arguments (package-arguments curl) + ((#:phases phases) + `(modify-phases ,phases + (add-before 'install 'fix-Makefile + ;; Fix a regression in 7.55 where docs are not installed. + ;; https://github.com/curl/curl/commit/a7bbbb7c368c609680= 2007f61f19a02e9d75285b + (lambda _ + (substitute* "Makefile" + (("install-data-hook:\n") + "install-data-hook:\n\tcd docs/libcurl && $(MAKE) in= stall\n")) + #t))))))))) =2D-=20 2.14.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmLbxIACgkQoqBt8qM6 VPoKMQf/cg9vgZks+cIKWlNG6VnwJAibcfcp22YOk61WT+E5570YRUoIY/9HDXES x0LWdI+ibPVYlnLuOZ9sL3cT9w5t18IkPL/mgvBn1KUjyi87VBZZyeCnkKilFAk3 BL7/MnzcnplY5qC9yBgqbYcoI9CCUj4v12Xy20L7jAHsA8A6OeQeud9cpZ+/J9sJ vEIJ8cWWXtBaaHjqgtwsZUwa7vov5ndjhTYhMQ2+4Xnt3qWg6CTeWwb8QXFMf6a2 2z4gpjCSSpaQkOXzNYQHnjVKdC2GRgNhXXho46aE0SRGjwttCys1RlkyLP7mQwlm 8IjRvSzTDSWiWAsPhrSYVkTQZc+dZw== =5Y/L -----END PGP SIGNATURE----- --==-=-=--