gnu: curl: Update to 7.76.0 [security fixes].
Fixes CVE-2021-22876 and CVE-2021-22890. * gnu/packages/curl.scm (curl/fixed): New variable. (curl)[replacement]: New field. * gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it.master
parent
591c930337
commit
f4dc8ac6df
|
@ -920,6 +920,7 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/clucene-contribs-lib.patch \
|
%D%/packages/patches/clucene-contribs-lib.patch \
|
||||||
%D%/packages/patches/cube-nocheck.patch \
|
%D%/packages/patches/cube-nocheck.patch \
|
||||||
%D%/packages/patches/curl-use-ssl-cert-env.patch \
|
%D%/packages/patches/curl-use-ssl-cert-env.patch \
|
||||||
|
%D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \
|
||||||
%D%/packages/patches/cursynth-wave-rand.patch \
|
%D%/packages/patches/cursynth-wave-rand.patch \
|
||||||
%D%/packages/patches/cvs-CVE-2017-12836.patch \
|
%D%/packages/patches/cvs-CVE-2017-12836.patch \
|
||||||
%D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \
|
%D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \
|
||||||
|
|
|
@ -62,6 +62,7 @@
|
||||||
(base32
|
(base32
|
||||||
"12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
|
"12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
|
||||||
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
|
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
|
||||||
|
(replacement curl/fixed)
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(outputs '("out"
|
(outputs '("out"
|
||||||
"doc")) ;1.2 MiB of man3 pages
|
"doc")) ;1.2 MiB of man3 pages
|
||||||
|
@ -151,6 +152,20 @@ tunneling, and so on.")
|
||||||
(name "curl-minimal")
|
(name "curl-minimal")
|
||||||
(inputs (alist-delete "openldap" (package-inputs curl))))))
|
(inputs (alist-delete "openldap" (package-inputs curl))))))
|
||||||
|
|
||||||
|
(define-public curl/fixed
|
||||||
|
(package
|
||||||
|
(inherit curl)
|
||||||
|
(version "7.76.0")
|
||||||
|
(source
|
||||||
|
(origin
|
||||||
|
(inherit (package-source curl))
|
||||||
|
(uri (string-append "https://curl.haxx.se/download/curl-"
|
||||||
|
version ".tar.xz"))
|
||||||
|
(patches (search-patches "curl-7.76-use-ssl-cert-env.patch"))
|
||||||
|
(sha256
|
||||||
|
(base32
|
||||||
|
"1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3"))))))
|
||||||
|
|
||||||
(define-public kurly
|
(define-public kurly
|
||||||
(package
|
(package
|
||||||
(name "kurly")
|
(name "kurly")
|
||||||
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
|
||||||
|
are fetched during initialization to preserve thread-safety (curl_global_init(3)
|
||||||
|
must be called when no other threads exist).
|
||||||
|
|
||||||
|
This fixes network functionality in rust:cargo, and probably removes the need
|
||||||
|
for other future workarounds.
|
||||||
|
===================================================================
|
||||||
|
--- curl-7.66.0.orig/lib/easy.c 2020-01-02 15:43:11.883921171 +0100
|
||||||
|
+++ curl-7.66.0/lib/easy.c 2020-01-02 16:18:54.691882797 +0100
|
||||||
|
@@ -134,6 +134,9 @@
|
||||||
|
# pragma warning(default:4232) /* MSVC extension, dllimport identity */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+char * Curl_ssl_cert_dir = NULL;
|
||||||
|
+char * Curl_ssl_cert_file = NULL;
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* curl_global_init() globally initializes curl given a bitwise set of the
|
||||||
|
* different features of what to initialize.
|
||||||
|
@@ -155,6 +158,9 @@
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
+ Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
|
||||||
|
+ Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
|
||||||
|
+
|
||||||
|
if(!Curl_ssl_init()) {
|
||||||
|
DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
|
||||||
|
return CURLE_FAILED_INIT;
|
||||||
|
@@ -260,6 +266,9 @@
|
||||||
|
Curl_ssl_cleanup();
|
||||||
|
Curl_resolver_global_cleanup();
|
||||||
|
|
||||||
|
+ free(Curl_ssl_cert_dir);
|
||||||
|
+ free(Curl_ssl_cert_file);
|
||||||
|
+
|
||||||
|
#ifdef WIN32
|
||||||
|
Curl_win32_cleanup(init_flags);
|
||||||
|
#endif
|
||||||
|
diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
|
||||||
|
--- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
|
||||||
|
+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
|
||||||
|
@@ -524,6 +524,21 @@
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
#endif
|
||||||
|
+ extern char * Curl_ssl_cert_dir;
|
||||||
|
+ extern char * Curl_ssl_cert_file;
|
||||||
|
+ if(Curl_ssl_cert_dir) {
|
||||||
|
+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
|
||||||
|
+ return result;
|
||||||
|
+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
|
||||||
|
+ return result;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if(Curl_ssl_cert_file) {
|
||||||
|
+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
|
||||||
|
+ return result;
|
||||||
|
+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
|
||||||
|
+ return result;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
set->wildcard_enabled = FALSE;
|
Reference in New Issue