* [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes].
@ 2024-09-19 15:17 Ashish SHUKLA via Guix-patches via
2024-09-27 18:52 ` John Kehayias via Guix-patches via
0 siblings, 1 reply; 4+ messages in thread
From: Ashish SHUKLA via Guix-patches via @ 2024-09-19 15:17 UTC (permalink / raw)
To: 73361; +Cc: Ashish SHUKLA
* gnu/packages/curl.scm (curl): Update to 8.10.1.
* gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.
Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8
---
gnu/packages/curl.scm | 5 ++-
.../patches/curl-use-ssl-cert-env.patch | 41 +++++++++----------
2 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..7ab886f195 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -66,14 +67,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
+ (version "8.10.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
index c39c1f7e98..2a57f0f8be 100644
--- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
+++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
@@ -37,28 +37,27 @@ for other future workarounds.
#ifdef _WIN32
Curl_win32_cleanup(easy_init_flags);
#endif
-diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
-+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
-@@ -524,6 +524,21 @@
- if(result)
- return result;
+--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000
++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000
+@@ -455,6 +455,21 @@
+ #endif
#endif
-+ extern char * Curl_ssl_cert_dir;
-+ extern char * Curl_ssl_cert_file;
-+ if(Curl_ssl_cert_dir) {
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
-+ return result;
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
-+ return result;
-+ }
-+
-+ if(Curl_ssl_cert_file) {
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
-+ return result;
-+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
-+ return result;
-+ }
}
++ extern char * Curl_ssl_cert_dir;
++ extern char * Curl_ssl_cert_file;
++ if(Curl_ssl_cert_dir) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++ return result;
++ }
++
++ if(Curl_ssl_cert_file) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++ return result;
++ }
+ #ifndef CURL_DISABLE_FTP
set->wildcard_enabled = FALSE;
base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9
--
2.46.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes].
2024-09-19 15:17 [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes] Ashish SHUKLA via Guix-patches via
@ 2024-09-27 18:52 ` John Kehayias via Guix-patches via
2024-09-28 1:24 ` Ashish SHUKLA via Guix-patches via
0 siblings, 1 reply; 4+ messages in thread
From: John Kehayias via Guix-patches via @ 2024-09-27 18:52 UTC (permalink / raw)
To: Ashish SHUKLA; +Cc: 73361
Hello,
On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
> * gnu/packages/curl.scm (curl): Update to 8.10.1.
>
As curl causes a rebuild of just about everything, this will need to
done as a graft on master. (And ungrafted with a world rebuild on a
branch.) Would you like to take a stab at that?
Also, please note what the security fixes are (CVE numbers).
Thanks for the patch so far!
John
> * gnu/packages/patches/curl-use-ssl-cert-env.patch: Update for 8.10.1.
>
> Change-Id: I2a1566a3b7ca0a097c77f158bd370945cf16baf8
> ---
> gnu/packages/curl.scm | 5 ++-
> .../patches/curl-use-ssl-cert-env.patch | 41 +++++++++----------
> 2 files changed, 23 insertions(+), 23 deletions(-)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..7ab886f195 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
> ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
> ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -66,14 +67,14 @@ (define-module (gnu packages curl)
> (define-public curl
> (package
> (name "curl")
> - (version "8.6.0")
> + (version "8.10.1")
> (source (origin
> (method url-fetch)
> (uri (string-append "https://curl.se/download/curl-"
> version ".tar.xz"))
> (sha256
> (base32
> - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
> + "1vh4rvmln4ygp4mc18hq1pd5za4mp7jbfksajajrz84njplv193k"))
> (patches (search-patches "curl-use-ssl-cert-env.patch"))))
> (outputs '("out"
> "doc")) ;1.2 MiB of man3 pages
> diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch
> index c39c1f7e98..2a57f0f8be 100644
> --- a/gnu/packages/patches/curl-use-ssl-cert-env.patch
> +++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch
> @@ -37,28 +37,27 @@ for other future workarounds.
> #ifdef _WIN32
> Curl_win32_cleanup(easy_init_flags);
> #endif
> -diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
> ---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
> -+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
> -@@ -524,6 +524,21 @@
> - if(result)
> - return result;
> +--- curl-8.10.0/lib/url.c.orig 2024-09-17 16:57:50.407214691 +0000
> ++++ curl-8.10.0/lib/url.c 2024-09-17 16:59:47.507214691 +0000
> +@@ -455,6 +455,21 @@
> + #endif
> #endif
> -+ extern char * Curl_ssl_cert_dir;
> -+ extern char * Curl_ssl_cert_file;
> -+ if(Curl_ssl_cert_dir) {
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
> -+ return result;
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
> -+ return result;
> -+ }
> -+
> -+ if(Curl_ssl_cert_file) {
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
> -+ return result;
> -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
> -+ return result;
> -+ }
> }
> ++ extern char * Curl_ssl_cert_dir;
> ++ extern char * Curl_ssl_cert_file;
> ++ if(Curl_ssl_cert_dir) {
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
> ++ return result;
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
> ++ return result;
> ++ }
> ++
> ++ if(Curl_ssl_cert_file) {
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
> ++ return result;
> ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
> ++ return result;
> ++ }
>
> + #ifndef CURL_DISABLE_FTP
> set->wildcard_enabled = FALSE;
>
> base-commit: e85f52e826b0701c3dcf9acf9d81e5ae57aec8f9
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes].
2024-09-27 18:52 ` John Kehayias via Guix-patches via
@ 2024-09-28 1:24 ` Ashish SHUKLA via Guix-patches via
2024-11-12 12:07 ` bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability Maxim Cournoyer
0 siblings, 1 reply; 4+ messages in thread
From: Ashish SHUKLA via Guix-patches via @ 2024-09-28 1:24 UTC (permalink / raw)
To: John Kehayias; +Cc: 73361
[-- Attachment #1.1.1: Type: text/plain, Size: 972 bytes --]
On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
> Hello,
>
> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>
> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
> >
>
> As curl causes a rebuild of just about everything, this will need to
> done as a graft on master. (And ungrafted with a world rebuild on a
> branch.) Would you like to take a stab at that?
Prepared a new revision (attached) to add a new package 'curl/fixed'
with just the fix from upstream applied[0][1].
As for the actual update to 8.10.1, I can send a patch (either in this
thread, or in separate issue report).
Please let me know if something is amiss with my patch.
References:
[0] https://curl.se/docs/CVE-2024-8096.html
[1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba
Thanks!
--
Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
"If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
[-- Attachment #1.2: v2-0001-gnu-curl-Fix-security-vulnerability.patch --]
[-- Type: text/plain, Size: 9799 bytes --]
From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001
Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is@lostca.se>
From: Ashish SHUKLA <ashish.is@lostca.se>
Date: Sat, 28 Sep 2024 01:40:45 +0200
Subject: [PATCH v2] gnu: curl: Fix security vulnerability.
Fixes CVE-2024-8096.
* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl/fixed): New variable.
* gnu/packages/patches/curl-CVE-2024-8096.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738
---
gnu/local.mk | 1 +
gnu/packages/curl.scm | 11 +
gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++
3 files changed, 212 insertions(+)
create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 9fdad12b63..a2215ad4c2 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1114,6 +1114,7 @@ dist_patch_DATA = \
%D%/packages/patches/crda-optional-gcrypt.patch \
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/cube-nocheck.patch \
+ %D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
%D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
%D%/packages/patches/curlftpfs-fix-file-names.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..bbb266e236 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,6 +68,7 @@ (define-public curl
(package
(name "curl")
(version "8.6.0")
+ (replacement curl/fixed)
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
@@ -176,6 +178,15 @@ (define-public curl
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
+(define-public curl/fixed
+ (hidden-package
+ (package
+ (inherit curl)
+ (replacement curl/fixed)
+ (source (origin
+ (inherit (package-source curl))
+ (patches (search-patches "curl-CVE-2024-8096.patch")))))))
+
(define-public gnurl (deprecated-package "gnurl" curl))
(define-public curl-ssh
diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch
new file mode 100644
index 0000000000..0f780f08c3
--- /dev/null
+++ b/gnu/packages/patches/curl-CVE-2024-8096.patch
@@ -0,0 +1,200 @@
+From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 20 Aug 2024 16:14:39 +0200
+Subject: [PATCH] gtls: fix OCSP stapling management
+
+Reported-by: Hiroki Kurosawa
+Closes #14642
+---
+ lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
+ 1 file changed, 73 insertions(+), 73 deletions(-)
+
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 03d6fcc038aac3..c7589d9d39bc81 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
+ init_flags |= GNUTLS_NO_TICKETS;
+ #endif
+
++#if defined(GNUTLS_NO_STATUS_REQUEST)
++ if(!config->verifystatus)
++ /* Disable the "status_request" TLS extension, enabled by default since
++ GnuTLS 3.8.0. */
++ init_flags |= GNUTLS_NO_STATUS_REQUEST;
++#endif
++
+ rc = gnutls_init(>ls->session, init_flags);
+ if(rc != GNUTLS_E_SUCCESS) {
+ failf(data, "gnutls_init() failed: %d", rc);
+@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+ infof(data, " server certificate verification SKIPPED");
+
+ if(config->verifystatus) {
+- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
+- gnutls_datum_t status_request;
+- gnutls_ocsp_resp_t ocsp_resp;
++ gnutls_datum_t status_request;
++ gnutls_ocsp_resp_t ocsp_resp;
++ gnutls_ocsp_cert_status_t status;
++ gnutls_x509_crl_reason_t reason;
+
+- gnutls_ocsp_cert_status_t status;
+- gnutls_x509_crl_reason_t reason;
++ rc = gnutls_ocsp_status_request_get(session, &status_request);
+
+- rc = gnutls_ocsp_status_request_get(session, &status_request);
++ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
++ failf(data, "No OCSP response received");
++ return CURLE_SSL_INVALIDCERTSTATUS;
++ }
+
+- infof(data, " server certificate status verification FAILED");
++ if(rc < 0) {
++ failf(data, "Invalid OCSP response received");
++ return CURLE_SSL_INVALIDCERTSTATUS;
++ }
+
+- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+- failf(data, "No OCSP response received");
+- return CURLE_SSL_INVALIDCERTSTATUS;
+- }
++ gnutls_ocsp_resp_init(&ocsp_resp);
+
+- if(rc < 0) {
+- failf(data, "Invalid OCSP response received");
+- return CURLE_SSL_INVALIDCERTSTATUS;
+- }
++ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
++ if(rc < 0) {
++ failf(data, "Invalid OCSP response received");
++ return CURLE_SSL_INVALIDCERTSTATUS;
++ }
+
+- gnutls_ocsp_resp_init(&ocsp_resp);
++ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
++ &status, NULL, NULL, NULL, &reason);
+
+- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+- if(rc < 0) {
+- failf(data, "Invalid OCSP response received");
+- return CURLE_SSL_INVALIDCERTSTATUS;
+- }
++ switch(status) {
++ case GNUTLS_OCSP_CERT_GOOD:
++ break;
+
+- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+- &status, NULL, NULL, NULL, &reason);
++ case GNUTLS_OCSP_CERT_REVOKED: {
++ const char *crl_reason;
+
+- switch(status) {
+- case GNUTLS_OCSP_CERT_GOOD:
++ switch(reason) {
++ default:
++ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
++ crl_reason = "unspecified reason";
+ break;
+
+- case GNUTLS_OCSP_CERT_REVOKED: {
+- const char *crl_reason;
+-
+- switch(reason) {
+- default:
+- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+- crl_reason = "unspecified reason";
+- break;
+-
+- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+- crl_reason = "private key compromised";
+- break;
+-
+- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+- crl_reason = "CA compromised";
+- break;
+-
+- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+- crl_reason = "affiliation has changed";
+- break;
++ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
++ crl_reason = "private key compromised";
++ break;
+
+- case GNUTLS_X509_CRLREASON_SUPERSEDED:
+- crl_reason = "certificate superseded";
+- break;
++ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
++ crl_reason = "CA compromised";
++ break;
+
+- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+- crl_reason = "operation has ceased";
+- break;
++ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
++ crl_reason = "affiliation has changed";
++ break;
+
+- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+- crl_reason = "certificate is on hold";
+- break;
++ case GNUTLS_X509_CRLREASON_SUPERSEDED:
++ crl_reason = "certificate superseded";
++ break;
+
+- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+- crl_reason = "will be removed from delta CRL";
+- break;
++ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
++ crl_reason = "operation has ceased";
++ break;
+
+- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+- crl_reason = "privilege withdrawn";
+- break;
++ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
++ crl_reason = "certificate is on hold";
++ break;
+
+- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+- crl_reason = "AA compromised";
+- break;
+- }
++ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
++ crl_reason = "will be removed from delta CRL";
++ break;
+
+- failf(data, "Server certificate was revoked: %s", crl_reason);
++ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
++ crl_reason = "privilege withdrawn";
+ break;
+- }
+
+- default:
+- case GNUTLS_OCSP_CERT_UNKNOWN:
+- failf(data, "Server certificate status is unknown");
++ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
++ crl_reason = "AA compromised";
+ break;
+ }
+
+- gnutls_ocsp_resp_deinit(ocsp_resp);
++ failf(data, "Server certificate was revoked: %s", crl_reason);
++ break;
++ }
+
+- return CURLE_SSL_INVALIDCERTSTATUS;
++ default:
++ case GNUTLS_OCSP_CERT_UNKNOWN:
++ failf(data, "Server certificate status is unknown");
++ break;
+ }
+- else
+- infof(data, " server certificate status verification OK");
++
++ gnutls_ocsp_resp_deinit(ocsp_resp);
++ if(status != GNUTLS_OCSP_CERT_GOOD)
++ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
+ else
+ infof(data, " server certificate status verification SKIPPED");
base-commit: 5e888ec915cfdd256e726959cdc23293bc36277e
--
2.46.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 992 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability.
2024-09-28 1:24 ` Ashish SHUKLA via Guix-patches via
@ 2024-11-12 12:07 ` Maxim Cournoyer
0 siblings, 0 replies; 4+ messages in thread
From: Maxim Cournoyer @ 2024-11-12 12:07 UTC (permalink / raw)
To: Ashish SHUKLA; +Cc: John Kehayias, 73361-done
Hi,
"Ashish SHUKLA" <ashish.is@lostca.se> writes:
> On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
>> Hello,
>>
>> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>>
>> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
>> >
>>
>> As curl causes a rebuild of just about everything, this will need to
>> done as a graft on master. (And ungrafted with a world rebuild on a
>> branch.) Would you like to take a stab at that?
>
> Prepared a new revision (attached) to add a new package 'curl/fixed'
> with just the fix from upstream applied[0][1].
>
> As for the actual update to 8.10.1, I can send a patch (either in this
> thread, or in separate issue report).
>
> Please let me know if something is amiss with my patch.
>
> References:
> [0] https://curl.se/docs/CVE-2024-8096.html
> [1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba
>
> Thanks!
> --
> Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
>
> "If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
>
> From 82e4c9fdf2e4bc78dfad87ee956fd78051bbc763 Mon Sep 17 00:00:00 2001
> Message-ID: <82e4c9fdf2e4bc78dfad87ee956fd78051bbc763.1727486274.git.ashish.is@lostca.se>
> From: Ashish SHUKLA <ashish.is@lostca.se>
> Date: Sat, 28 Sep 2024 01:40:45 +0200
> Subject: [PATCH v2] gnu: curl: Fix security vulnerability.
>
> Fixes CVE-2024-8096.
>
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl/fixed): New variable.
> * gnu/packages/patches/curl-CVE-2024-8096.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
>
> Change-Id: I42facad095d97dc94302e9db60626b9fa00f3738
> ---
> gnu/local.mk | 1 +
> gnu/packages/curl.scm | 11 +
> gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ++++++++++++++++++
> 3 files changed, 212 insertions(+)
> create mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 9fdad12b63..a2215ad4c2 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1114,6 +1114,7 @@ dist_patch_DATA = \
> %D%/packages/patches/crda-optional-gcrypt.patch \
> %D%/packages/patches/clucene-contribs-lib.patch \
> %D%/packages/patches/cube-nocheck.patch \
> + %D%/packages/patches/curl-CVE-2024-8096.patch \
> %D%/packages/patches/curl-use-ssl-cert-env.patch \
> %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
> %D%/packages/patches/curlftpfs-fix-file-names.patch \
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 9f74018205..bbb266e236 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -16,6 +16,7 @@
> ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
> ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
> ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
> +;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -67,6 +68,7 @@ (define-public curl
> (package
> (name "curl")
> (version "8.6.0")
> + (replacement curl/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "https://curl.se/download/curl-"
> @@ -176,6 +178,15 @@ (define-public curl
> "See COPYING in the distribution."))
> (home-page "https://curl.haxx.se/")))
>
> +(define-public curl/fixed
> + (hidden-package
> + (package
> + (inherit curl)
> + (replacement curl/fixed)
> + (source (origin
> + (inherit (package-source curl))
> + (patches (search-patches "curl-CVE-2024-8096.patch")))))))
> +
I've applied it already, but noticed after that this doesn't add the
curl patch 'curl-use-ssl-cert-env.patch'; which I've now fixed in commit
b10ce47d8b.
Closing!
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-11-12 12:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-19 15:17 [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes] Ashish SHUKLA via Guix-patches via
2024-09-27 18:52 ` John Kehayias via Guix-patches via
2024-09-28 1:24 ` Ashish SHUKLA via Guix-patches via
2024-11-12 12:07 ` bug#73361: [PATCH v2] gnu: curl: Fix security vulnerability Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).