[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: gnu: curl: Update to 7.76.0 [security fixes].
From: |
guix-commits |
Subject: |
branch master updated: gnu: curl: Update to 7.76.0 [security fixes]. |
Date: |
Fri, 02 Apr 2021 16:44:53 -0400 |
This is an automated email from the git hooks/post-receive script.
lfam pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new f4dc8ac gnu: curl: Update to 7.76.0 [security fixes].
f4dc8ac is described below
commit f4dc8ac6dfa036d98aa0990ae22268a9650899d0
Author: Léo Le Bouter <lle-bout@zaclys.net>
AuthorDate: Fri Apr 2 21:33:02 2021 +0200
gnu: curl: Update to 7.76.0 [security fixes].
Fixes CVE-2021-22876 and CVE-2021-22890.
* gnu/packages/curl.scm (curl/fixed): New variable.
(curl)[replacement]: New field.
* gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/curl.scm | 15 +++++
.../patches/curl-7.76-use-ssl-cert-env.patch | 64 ++++++++++++++++++++++
3 files changed, 80 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index 1a767a6..0d47207 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -920,6 +920,7 @@ dist_patch_DATA =
\
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/cube-nocheck.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
+ %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \
%D%/packages/patches/cursynth-wave-rand.patch \
%D%/packages/patches/cvs-CVE-2017-12836.patch \
%D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 7306768..94dc51c 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -62,6 +62,7 @@
(base32
"12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
+ (replacement curl/fixed)
(build-system gnu-build-system)
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
@@ -151,6 +152,20 @@ tunneling, and so on.")
(name "curl-minimal")
(inputs (alist-delete "openldap" (package-inputs curl))))))
+(define-public curl/fixed
+ (package
+ (inherit curl)
+ (version "7.76.0")
+ (source
+ (origin
+ (inherit (package-source curl))
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.xz"))
+ (patches (search-patches "curl-7.76-use-ssl-cert-env.patch"))
+ (sha256
+ (base32
+ "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3"))))))
+
(define-public kurly
(package
(name "kurly")
diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
new file mode 100644
index 0000000..24be6e3
--- /dev/null
+++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The
variables
+are fetched during initialization to preserve thread-safety
(curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c 2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c 2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ # pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+ * curl_global_init() globally initializes curl given a bitwise set of the
+ * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+ }
+
++ Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++ Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+ if(!Curl_ssl_init()) {
+ DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+ return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+ Curl_ssl_cleanup();
+ Curl_resolver_global_cleanup();
+
++ free(Curl_ssl_cert_dir);
++ free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+ Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+ if(result)
+ return result;
+ #endif
++ extern char * Curl_ssl_cert_dir;
++ extern char * Curl_ssl_cert_file;
++ if(Curl_ssl_cert_dir) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH],
Curl_ssl_cert_dir))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY],
Curl_ssl_cert_dir))
++ return result;
++ }
++
++ if(Curl_ssl_cert_file) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE],
Curl_ssl_cert_file))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY],
Curl_ssl_cert_file))
++ return result;
++ }
+ }
+
+ set->wildcard_enabled = FALSE;
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: gnu: curl: Update to 7.76.0 [security fixes].,
guix-commits <=