all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 75026@debbugs.gnu.org
Cc: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: [bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft.
Date: Mon, 23 Dec 2024 01:01:04 +0900	[thread overview]
Message-ID: <4782535fb3ee717b4e077d5c1624dcb9c7b964a9.1734882716.git.maxim.cournoyer@gmail.com> (raw)
In-Reply-To: <cover.1734882716.git.maxim.cournoyer@gmail.com>

* gnu/packages/curl.scm (curl): Update to 8.11.1.
[replacement]: Delete field.
[arguments]
<#:configure-flags>: Add --with-libssh2.
<#:phases>: Simplify check phase override, and newly skip the 165, 962, 963,
964, 965, 966, 967, 1448, 2046 and 2047 test cases.
[native-inputs]: Add libssh2.
(curl/fixed): Delete variable.
* gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.

Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404
---
 gnu/local.mk                                  |   1 -
 gnu/packages/curl.scm                         |  47 ++--
 gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
 3 files changed, 19 insertions(+), 229 deletions(-)
 delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index a4f2e71134..4ffaf89ba4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1128,7 +1128,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch	\
-  %D%/packages/patches/curl-CVE-2024-8096.patch			\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
   %D%/packages/patches/curlftpfs-fix-error-closing-file.patch	\
   %D%/packages/patches/curlftpfs-fix-file-names.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..8645ce73f8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -17,6 +17,7 @@
 ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
 ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
+;;; Copyright © 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -67,15 +68,14 @@ (define-module (gnu packages curl)
 (define-public curl
   (package
     (name "curl")
-    (version "8.6.0")
-    (replacement curl/fixed)
+    (version "8.11.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://curl.se/download/curl-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+                "0mmb6sal02gi0dkdvkhx9wfwd6y10bd50hpkmqz78289ifs7vjn7"))
               (patches (search-patches "curl-use-ssl-cert-env.patch"))))
     (outputs '("out"
                "doc"))                  ;1.2 MiB of man3 pages
@@ -89,6 +89,7 @@ (define-public curl
                              (dirname (dirname
                                        (search-input-file
                                         %build-inputs "lib/libgssrpc.so"))))
+              "--with-libssh2"
               "--disable-static")
       #:test-target "test-nonflaky"     ;avoid tests marked as "flaky"
       #:phases
@@ -115,20 +116,20 @@ (define-public curl
                                    (if parallel-tests?
                                        (number->string (parallel-job-count))
                                        "1")))
-                       ;; Ignore test 1477 due to a missing file in the 8.5.0
-                       ;; release.  See
-                       ;; <https://github.com/curl/curl/issues/12462>.
-                       (arguments `("-C" "tests" "test"
-                                    ,@make-flags
-                                    ,(if #$(or (system-hurd?)
-                                               (target-arm32?)
-                                               (target-aarch64?))
-                                         ;; protocol FAIL
-                                         (string-append "TFLAGS=~1474 "
-                                                        "!1477 "
-                                                        job-count)
-                                         (string-append "TFLAGS=\"~1477 "
-                                                        job-count "\"")))))
+                       (arguments
+                        `("-C" "tests" "test"
+                          ,@make-flags
+                          ,(string-append "TFLAGS="
+                                          job-count " "
+                                          (if #$(or (system-hurd?)
+                                                    (target-arm32?)
+                                                    (target-aarch64?))
+                                              "~1474 " ;protocol FAIL
+                                              "")
+                                          ;; protocol FAIL
+                                          "~962 ~963 ~964 ~965 ~966 ~967 "
+                                          ;; These fail for unknown reasons.
+                                          "~165 ~1448 ~2046 ~2047"))))
                   ;; The top-level "make check" does "make -C tests quiet-test", which
                   ;; is too quiet.  Use the "test" target instead, which is more
                   ;; verbose.
@@ -152,7 +153,7 @@ (define-public curl
     (native-inputs
      (list nghttp2 perl pkg-config python-minimal-wrapper))
     (inputs
-     (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib))
+     (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
     (native-search-paths
      ;; These variables are introduced by curl-use-ssl-cert-env.patch.
      (list $SSL_CERT_DIR
@@ -178,16 +179,6 @@ (define-public curl
     (license (license:non-copyleft "file://COPYING"
                                    "See COPYING in the distribution."))))
 
-(define-public curl/fixed
-  (hidden-package
-   (package
-     (inherit curl)
-     (replacement curl/fixed)
-     (source (origin
-               (inherit (package-source curl))
-               (patches (append (origin-patches (package-source curl))
-                                (search-patches "curl-CVE-2024-8096.patch"))))))))
-
 (define-public gnurl (deprecated-package "gnurl" curl))
 
 (define-public curl-ssh
diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch
deleted file mode 100644
index 0f780f08c3..0000000000
--- a/gnu/packages/patches/curl-CVE-2024-8096.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 20 Aug 2024 16:14:39 +0200
-Subject: [PATCH] gtls: fix OCSP stapling management
-
-Reported-by: Hiroki Kurosawa
-Closes #14642
----
- lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
- 1 file changed, 73 insertions(+), 73 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 03d6fcc038aac3..c7589d9d39bc81 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
-   init_flags |= GNUTLS_NO_TICKETS;
- #endif
- 
-+#if defined(GNUTLS_NO_STATUS_REQUEST)
-+  if(!config->verifystatus)
-+    /* Disable the "status_request" TLS extension, enabled by default since
-+       GnuTLS 3.8.0. */
-+    init_flags |= GNUTLS_NO_STATUS_REQUEST;
-+#endif
-+
-   rc = gnutls_init(&gtls->session, init_flags);
-   if(rc != GNUTLS_E_SUCCESS) {
-     failf(data, "gnutls_init() failed: %d", rc);
-@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
-     infof(data, "  server certificate verification SKIPPED");
- 
-   if(config->verifystatus) {
--    if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
--      gnutls_datum_t status_request;
--      gnutls_ocsp_resp_t ocsp_resp;
-+    gnutls_datum_t status_request;
-+    gnutls_ocsp_resp_t ocsp_resp;
-+    gnutls_ocsp_cert_status_t status;
-+    gnutls_x509_crl_reason_t reason;
- 
--      gnutls_ocsp_cert_status_t status;
--      gnutls_x509_crl_reason_t reason;
-+    rc = gnutls_ocsp_status_request_get(session, &status_request);
- 
--      rc = gnutls_ocsp_status_request_get(session, &status_request);
-+    if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-+      failf(data, "No OCSP response received");
-+      return CURLE_SSL_INVALIDCERTSTATUS;
-+    }
- 
--      infof(data, " server certificate status verification FAILED");
-+    if(rc < 0) {
-+      failf(data, "Invalid OCSP response received");
-+      return CURLE_SSL_INVALIDCERTSTATUS;
-+    }
- 
--      if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
--        failf(data, "No OCSP response received");
--        return CURLE_SSL_INVALIDCERTSTATUS;
--      }
-+    gnutls_ocsp_resp_init(&ocsp_resp);
- 
--      if(rc < 0) {
--        failf(data, "Invalid OCSP response received");
--        return CURLE_SSL_INVALIDCERTSTATUS;
--      }
-+    rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-+    if(rc < 0) {
-+      failf(data, "Invalid OCSP response received");
-+      return CURLE_SSL_INVALIDCERTSTATUS;
-+    }
- 
--      gnutls_ocsp_resp_init(&ocsp_resp);
-+    (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-+                                      &status, NULL, NULL, NULL, &reason);
- 
--      rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
--      if(rc < 0) {
--        failf(data, "Invalid OCSP response received");
--        return CURLE_SSL_INVALIDCERTSTATUS;
--      }
-+    switch(status) {
-+    case GNUTLS_OCSP_CERT_GOOD:
-+      break;
- 
--      (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
--                                        &status, NULL, NULL, NULL, &reason);
-+    case GNUTLS_OCSP_CERT_REVOKED: {
-+      const char *crl_reason;
- 
--      switch(status) {
--      case GNUTLS_OCSP_CERT_GOOD:
-+      switch(reason) {
-+      default:
-+      case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-+        crl_reason = "unspecified reason";
-         break;
- 
--      case GNUTLS_OCSP_CERT_REVOKED: {
--        const char *crl_reason;
--
--        switch(reason) {
--          default:
--          case GNUTLS_X509_CRLREASON_UNSPECIFIED:
--            crl_reason = "unspecified reason";
--            break;
--
--          case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
--            crl_reason = "private key compromised";
--            break;
--
--          case GNUTLS_X509_CRLREASON_CACOMPROMISE:
--            crl_reason = "CA compromised";
--            break;
--
--          case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
--            crl_reason = "affiliation has changed";
--            break;
-+      case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-+        crl_reason = "private key compromised";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_SUPERSEDED:
--            crl_reason = "certificate superseded";
--            break;
-+      case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-+        crl_reason = "CA compromised";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
--            crl_reason = "operation has ceased";
--            break;
-+      case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-+        crl_reason = "affiliation has changed";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
--            crl_reason = "certificate is on hold";
--            break;
-+      case GNUTLS_X509_CRLREASON_SUPERSEDED:
-+        crl_reason = "certificate superseded";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
--            crl_reason = "will be removed from delta CRL";
--            break;
-+      case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-+        crl_reason = "operation has ceased";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
--            crl_reason = "privilege withdrawn";
--            break;
-+      case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-+        crl_reason = "certificate is on hold";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_AACOMPROMISE:
--            crl_reason = "AA compromised";
--            break;
--        }
-+      case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-+        crl_reason = "will be removed from delta CRL";
-+        break;
- 
--        failf(data, "Server certificate was revoked: %s", crl_reason);
-+      case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-+        crl_reason = "privilege withdrawn";
-         break;
--      }
- 
--      default:
--      case GNUTLS_OCSP_CERT_UNKNOWN:
--        failf(data, "Server certificate status is unknown");
-+      case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-+        crl_reason = "AA compromised";
-         break;
-       }
- 
--      gnutls_ocsp_resp_deinit(ocsp_resp);
-+      failf(data, "Server certificate was revoked: %s", crl_reason);
-+      break;
-+    }
- 
--      return CURLE_SSL_INVALIDCERTSTATUS;
-+    default:
-+    case GNUTLS_OCSP_CERT_UNKNOWN:
-+      failf(data, "Server certificate status is unknown");
-+      break;
-     }
--    else
--      infof(data, "  server certificate status verification OK");
-+
-+    gnutls_ocsp_resp_deinit(ocsp_resp);
-+    if(status != GNUTLS_OCSP_CERT_GOOD)
-+      return CURLE_SSL_INVALIDCERTSTATUS;
-   }
-   else
-     infof(data, "  server certificate status verification SKIPPED");
-- 
2.46.0





  parent reply	other threads:[~2024-12-22 16:03 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
2024-12-22 16:00 ` [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8 Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0 Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 5/7] gnu: libidn: Update to 1.42 Maxim Cournoyer
2024-12-22 16:01 ` Maxim Cournoyer [this message]
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 7/7] gnu: curl: Enable zstd support Maxim Cournoyer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4782535fb3ee717b4e077d5c1624dcb9c7b964a9.1734882716.git.maxim.cournoyer@gmail.com \
    --to=maxim.cournoyer@gmail.com \
    --cc=75026@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.