From patchwork Tue May 20 02:58:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 42763 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BD41F27BC4B; Tue, 20 May 2025 03:59:55 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED, RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS, URIBL_BLOCKED,URI_NOVOWEL autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D81FF27BC49 for ; Tue, 20 May 2025 03:59:54 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uHDC6-0006Cy-3p; Mon, 19 May 2025 22:59:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uHDC3-0006Bq-Ni for guix-patches@gnu.org; Mon, 19 May 2025 22:59:03 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uHDC3-0005su-F1 for guix-patches@gnu.org; Mon, 19 May 2025 22:59:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=3LKtslSuKjcXw/cKfb1KPcSthVdNMItZ4JyC3P/0Bxg=; b=GlkSLPaoEbaMMORckwDApwl/ninZRl5xP6EsVljFIAzplfXC2gu9ftSqpzG55aWW16Gx8kk6b3GrJE6ADSbR0boTkKq8sfoG+k/mV9gvtzoP1LmxTmLIIKtbb5h033BIAaIVXzdwiC17uhavAkRpyIMRB583gk/oo9Y0foFEv2EHuRM/Dg6uc7C8LVxjzEhd8EEQbpjrKQJGbQyzdpL5tlPRGTt6oLQSxSKxbpQ0MGHVEGdI0JFAWPIVT+gF4ifuILBq9XU47HF72Xk/oZcLM3ys5atyEzTwQWTuNomdUN9y+pSld6MYMNU3WPb2BNeJ8dvvoMkjBFl4V4UXDXI/6Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uHDC3-0000UR-7p; Mon, 19 May 2025 22:59:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78337] [PATCH v2 2/6] gnu: curl: Update to 8.13.0 and ungraft [fixes CVE-2025-0725]. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: z572@z572.online, guix-patches@gnu.org Resent-Date: Tue, 20 May 2025 02:59:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78337 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78337@debbugs.gnu.org Cc: Maxim Cournoyer , Zheng Junjie X-Debbugs-Original-Xcc: Zheng Junjie Received: via spool by 78337-submit@debbugs.gnu.org id=B78337.17477099341800 (code B ref 78337); Tue, 20 May 2025 02:59:03 +0000 Received: (at 78337) by debbugs.gnu.org; 20 May 2025 02:58:54 +0000 Received: from localhost ([127.0.0.1]:50170 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uHDBs-0000Sk-FU for submit@debbugs.gnu.org; Mon, 19 May 2025 22:58:54 -0400 Received: from mail-pj1-x1030.google.com ([2607:f8b0:4864:20::1030]:47498) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uHDBk-0000RO-Df for 78337@debbugs.gnu.org; Mon, 19 May 2025 22:58:48 -0400 Received: by mail-pj1-x1030.google.com with SMTP id 98e67ed59e1d1-30e542e4187so3769399a91.3 for <78337@debbugs.gnu.org>; Mon, 19 May 2025 19:58:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747709917; x=1748314717; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3LKtslSuKjcXw/cKfb1KPcSthVdNMItZ4JyC3P/0Bxg=; b=HSHUjvUdmOIr/HeRL7fv9OnqKJcN4am5U7njOiivzK7GELtM9zij2Jog1w7oVqG6i5 ctgxEd2IK6X52+c+5Uhmdfq0kIh7eo+zOJy0/haHZwc0HlBQYf9NJDH2KLVXNVqPKHuW w4PUrSfvB4iscr2CBnxkiR2BZvqpvTdKUtCSg3fQSq/WjGxZtdG5NI5IeS9bApN5iFo0 C1anUCL2wguF7MCOF4VrCtSHRsZngi65GTDurJjrQ9inqtPvgXLocVqoHGiyJwD0Cn8h hqYVpu3VElOqe1eZNRuJBWCOdAmRrJx2ySfeH2/FZf/MLlkFNm+JrmeQIYy4CmqUd4p0 q3gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747709917; x=1748314717; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3LKtslSuKjcXw/cKfb1KPcSthVdNMItZ4JyC3P/0Bxg=; b=ZxKH1cOFEE6lodE51N8iX229L9p+0n2KT9rKF3p5YRbZUzzBsgTfeG39D0ySk02TO/ t/6DR/qkG7w2HzC9qDH0wEQDkTIKUHl9Nu0A7B4j4Z6aOj4IQEozuLoTHWFra4UEuITM 1L/TOIvVmUIO4xNMIo30vf4Z8SCE1wp23VrbdeLdZiRHXcucJ4bs0WtHnxHlBr9u/VPN CuMXF3+y0tgvG6NStAvoiiEUHTZ1CZ0OaCRQn/fDM8s0+5F0l9nBIlD1KF3pvIh7i4Sx 076+3h1t5M2tsr1iNlQuHKSuxyN3YxsML3YZRE7x97aH7x7VZhxnn9KC5dL4vfkR6wQS sgmQ== X-Gm-Message-State: AOJu0Yys8OcmY3Ml2+UnxwZbYMIw4x7hQBCcRlnLNytlTfRJRFdGSGH1 ws1kHNANEDNevS3Sny2WO+u8zslMYiV8MR9w7s9fYPZZ2Y3PeohMzqMPRmhfZw== X-Gm-Gg: ASbGncvcqB/CcFOkHZxvv+PvoDhfmNE7bd+bHNw3B6zStOcqYm13VmaxhyAfZCuJPf4 Vj1ptQq7hqBflnLL4L+tH3QIbtHcUVWqP2LJPMCt33t2hvQVC4ZM3mBQ88bqkN4YjsEHRfv5N1c KX912ZEVxEdtF0BvyyDqBo/6WFsSjgCbODnXPpOWQypOlcEUXiKO3Vo3tk9oVoCpeJPE00UK8lR vjdGwFhnFZNR8YY0grT9uluDpj3jH3PjX/54K65kYFmbrzrFpR4u5sc1yGqM1fssn5jla+I37Bk 5xSqKczIPbRmzf6+jmJjSA7PrNmp/lCWaJdEuCp3V8ujPV5umfWfaL3HZnjfBvnxT5bFx7poYWF DZgmLCQ== X-Google-Smtp-Source: AGHT+IHqbY0VMrgiyJ76QDeNzrvIcCbUW6KbnxrzhvzVd8qTkSyO4TjGpldjBI3ymp3sTTpiqoGiyQ== X-Received: by 2002:a17:90b:1648:b0:2ff:698d:ef7c with SMTP id 98e67ed59e1d1-30e7d5bd935mr23452181a91.29.1747709917404; Mon, 19 May 2025 19:58:37 -0700 (PDT) Received: from localhost.localdomain ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30f365d460fsm480078a91.23.2025.05.19.19.58.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 May 2025 19:58:36 -0700 (PDT) From: Maxim Cournoyer Date: Tue, 20 May 2025 11:58:12 +0900 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: <62f70621a69a09b7195dca52741ed454bec9b3d7.1747709896.git.maxim.cournoyer@gmail.com> References: <62f70621a69a09b7195dca52741ed454bec9b3d7.1747709896.git.maxim.cournoyer@gmail.com> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/packages/curl.scm (curl): Update to 8.13.0. [replacement]: Delete field. [arguments] <#:configure-flags>: Add --with-libssh2. <#:phases>: Streamline check phase override, and newly skip a few new tests. [native-inputs]: Add libssh2. (curl/fixed): Delete variable. * gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file. * gnu/local.mk (dist_patch_DATA): De-register it. Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404 --- gnu/local.mk | 1 - gnu/packages/curl.scm | 39 ++-- gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------ 3 files changed, 20 insertions(+), 220 deletions(-) delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3730d272ea..0cbe521c73 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1158,7 +1158,6 @@ dist_patch_DATA = \ %D%/packages/patches/csvkit-set-locale-for-tests.patch \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \ - %D%/packages/patches/curl-CVE-2024-8096.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \ %D%/packages/patches/curlftpfs-fix-file-names.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index ded616a052..caeefd9168 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -17,6 +17,7 @@ ;;; Copyright © 2023 Sharlatan Hellseher ;;; Copyright © 2023 John Kehayias ;;; Copyright © 2024 Ashish SHUKLA +;;; Copyright © 2024, 2025 Maxim Cournoyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -68,21 +69,22 @@ (define-module (gnu packages curl) (define-public curl (package (name "curl") - (version "8.6.0") + (version "8.13.0") (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-" version ".tar.xz")) (sha256 (base32 - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w")) - (patches (search-patches "curl-use-ssl-cert-env.patch" - "curl-CVE-2024-8096.patch")))) + "09902ng7lbydbsm6yb03g0p7y03i4yilj1f0zgi2vl62ldwkj2aa")) + (patches (search-patches "curl-use-ssl-cert-env.patch")))) (outputs '("out" "doc")) ;1.2 MiB of man3 pages (build-system gnu-build-system) (arguments (list + #:modules `((ice-9 format) + ,@%default-gnu-modules) #:disallowed-references '("doc") #:configure-flags #~(list "--with-gnutls" @@ -90,6 +92,7 @@ (define-public curl (dirname (dirname (search-input-file %build-inputs "lib/libgssrpc.so")))) + "--with-libssh2" "--disable-static") #:test-target "test-nonflaky" ;avoid tests marked as "flaky" #:phases @@ -116,20 +119,18 @@ (define-public curl (if parallel-tests? (number->string (parallel-job-count)) "1"))) - ;; Ignore test 1477 due to a missing file in the 8.5.0 - ;; release. See - ;; . - (arguments `("-C" "tests" "test" - ,@make-flags - ,(if #$(or (system-hurd?) - (target-arm32?) - (target-aarch64?)) - ;; protocol FAIL - (string-append "TFLAGS=~1474 " - "!1477 " - job-count) - (string-append "TFLAGS=\"~1477 " - job-count "\""))))) + (failing-tests + '( 962 963 964 965 966 967 1474 ;protocol FAIL + ;; Unknown reason. + 165 1448 2046 2047 + ;; Mismatch in expected output, perhaps + ;; caused by different nginx version used. + 1700 1701 1702 2402 2403 2404 2405)) + (arguments + `("-C" "tests" "test" + ,@make-flags + ,(format #f "TFLAGS=~a ~{~~~a ~}" + job-count failing-tests)))) ;; The top-level "make check" does "make -C tests quiet-test", which ;; is too quiet. Use the "test" target instead, which is more ;; verbose. @@ -153,7 +154,7 @@ (define-public curl (native-inputs (list nghttp2 perl pkg-config python-minimal-wrapper)) (inputs - (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib)) + (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib)) (native-search-paths ;; These variables are introduced by curl-use-ssl-cert-env.patch. (list $SSL_CERT_DIR diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch deleted file mode 100644 index 0f780f08c3..0000000000 --- a/gnu/packages/patches/curl-CVE-2024-8096.patch +++ /dev/null @@ -1,200 +0,0 @@ -From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 20 Aug 2024 16:14:39 +0200 -Subject: [PATCH] gtls: fix OCSP stapling management - -Reported-by: Hiroki Kurosawa -Closes #14642 ---- - lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------ - 1 file changed, 73 insertions(+), 73 deletions(-) - -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 03d6fcc038aac3..c7589d9d39bc81 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, - init_flags |= GNUTLS_NO_TICKETS; - #endif - -+#if defined(GNUTLS_NO_STATUS_REQUEST) -+ if(!config->verifystatus) -+ /* Disable the "status_request" TLS extension, enabled by default since -+ GnuTLS 3.8.0. */ -+ init_flags |= GNUTLS_NO_STATUS_REQUEST; -+#endif -+ - rc = gnutls_init(>ls->session, init_flags); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_init() failed: %d", rc); -@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - infof(data, " server certificate verification SKIPPED"); - - if(config->verifystatus) { -- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { -- gnutls_datum_t status_request; -- gnutls_ocsp_resp_t ocsp_resp; -+ gnutls_datum_t status_request; -+ gnutls_ocsp_resp_t ocsp_resp; -+ gnutls_ocsp_cert_status_t status; -+ gnutls_x509_crl_reason_t reason; - -- gnutls_ocsp_cert_status_t status; -- gnutls_x509_crl_reason_t reason; -+ rc = gnutls_ocsp_status_request_get(session, &status_request); - -- rc = gnutls_ocsp_status_request_get(session, &status_request); -+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -+ failf(data, "No OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- infof(data, " server certificate status verification FAILED"); -+ if(rc < 0) { -+ failf(data, "Invalid OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -- failf(data, "No OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ gnutls_ocsp_resp_init(&ocsp_resp); - -- if(rc < 0) { -- failf(data, "Invalid OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); -+ if(rc < 0) { -+ failf(data, "Invalid OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- gnutls_ocsp_resp_init(&ocsp_resp); -+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, -+ &status, NULL, NULL, NULL, &reason); - -- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); -- if(rc < 0) { -- failf(data, "Invalid OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ switch(status) { -+ case GNUTLS_OCSP_CERT_GOOD: -+ break; - -- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, -- &status, NULL, NULL, NULL, &reason); -+ case GNUTLS_OCSP_CERT_REVOKED: { -+ const char *crl_reason; - -- switch(status) { -- case GNUTLS_OCSP_CERT_GOOD: -+ switch(reason) { -+ default: -+ case GNUTLS_X509_CRLREASON_UNSPECIFIED: -+ crl_reason = "unspecified reason"; - break; - -- case GNUTLS_OCSP_CERT_REVOKED: { -- const char *crl_reason; -- -- switch(reason) { -- default: -- case GNUTLS_X509_CRLREASON_UNSPECIFIED: -- crl_reason = "unspecified reason"; -- break; -- -- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: -- crl_reason = "private key compromised"; -- break; -- -- case GNUTLS_X509_CRLREASON_CACOMPROMISE: -- crl_reason = "CA compromised"; -- break; -- -- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: -- crl_reason = "affiliation has changed"; -- break; -+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: -+ crl_reason = "private key compromised"; -+ break; - -- case GNUTLS_X509_CRLREASON_SUPERSEDED: -- crl_reason = "certificate superseded"; -- break; -+ case GNUTLS_X509_CRLREASON_CACOMPROMISE: -+ crl_reason = "CA compromised"; -+ break; - -- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: -- crl_reason = "operation has ceased"; -- break; -+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: -+ crl_reason = "affiliation has changed"; -+ break; - -- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: -- crl_reason = "certificate is on hold"; -- break; -+ case GNUTLS_X509_CRLREASON_SUPERSEDED: -+ crl_reason = "certificate superseded"; -+ break; - -- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: -- crl_reason = "will be removed from delta CRL"; -- break; -+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: -+ crl_reason = "operation has ceased"; -+ break; - -- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: -- crl_reason = "privilege withdrawn"; -- break; -+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: -+ crl_reason = "certificate is on hold"; -+ break; - -- case GNUTLS_X509_CRLREASON_AACOMPROMISE: -- crl_reason = "AA compromised"; -- break; -- } -+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: -+ crl_reason = "will be removed from delta CRL"; -+ break; - -- failf(data, "Server certificate was revoked: %s", crl_reason); -+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: -+ crl_reason = "privilege withdrawn"; - break; -- } - -- default: -- case GNUTLS_OCSP_CERT_UNKNOWN: -- failf(data, "Server certificate status is unknown"); -+ case GNUTLS_X509_CRLREASON_AACOMPROMISE: -+ crl_reason = "AA compromised"; - break; - } - -- gnutls_ocsp_resp_deinit(ocsp_resp); -+ failf(data, "Server certificate was revoked: %s", crl_reason); -+ break; -+ } - -- return CURLE_SSL_INVALIDCERTSTATUS; -+ default: -+ case GNUTLS_OCSP_CERT_UNKNOWN: -+ failf(data, "Server certificate status is unknown"); -+ break; - } -- else -- infof(data, " server certificate status verification OK"); -+ -+ gnutls_ocsp_resp_deinit(ocsp_resp); -+ if(status != GNUTLS_OCSP_CERT_GOOD) -+ return CURLE_SSL_INVALIDCERTSTATUS; - } - else - infof(data, " server certificate status verification SKIPPED");