From bc7713fa8878ab8a2158c8660d9b2bbb8fb2f77e Mon Sep 17 00:00:00 2001 From: John Kehayias Date: Sun, 17 Dec 2023 01:11:32 -0500 Subject: gnu: curl: Update to 8.5.0 [security fixes]. Fixes CVE-2023-46218 and CVE-2023-46219. See and respectively. * gnu/packages/curl.scm (curl): Update to 8.5.0. * gnu/packages/patches/curl-use-ssl-cert-env.patch: Update patch. Change-Id: Iaa6aa5de0f45576dc06bf5eca1eec502e5c83332 --- gnu/packages/curl.scm | 11 +++++++--- gnu/packages/patches/curl-use-ssl-cert-env.patch | 26 ++++++++++++------------ 2 files changed, 21 insertions(+), 16 deletions(-) (limited to 'gnu') diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index b33f4d36d4..0bf6d996e6 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -65,14 +65,14 @@ (define-public curl (package (name "curl") - (version "8.4.0") + (version "8.5.0") (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-" version ".tar.xz")) (sha256 (base32 - "0bd8y8v66biyqvg70ka1sdd0aixs6yzpnvfsig907xzh9af2mihn")) + "1sqfflilf7mcz1g03lazyr6v6pf1rsrzprrknsir10hdwawqvas2")) (patches (search-patches "curl-use-ssl-cert-env.patch")))) (build-system gnu-build-system) (outputs '("out" @@ -127,6 +127,9 @@ (if parallel-tests? (number->string (parallel-job-count)) "1"))) + ;; Ignore test 1477 due to a missing file in the 8.5.0 + ;; release. See + ;; . (arguments `("-C" "tests" "test" ,@make-flags ,(if #$(or (system-hurd?) @@ -134,8 +137,10 @@ (target-aarch64?)) ;; protocol FAIL (string-append "TFLAGS=\"~1474 " + "~1477 " job-count "\"") - (string-append "TFLAGS=" job-count))))) + (string-append "TFLAGS=\"~1477 " + job-count "\""))))) ;; The top-level "make check" does "make -C tests quiet-test", which ;; is too quiet. Use the "test" target instead, which is more ;; verbose. diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch index 24be6e31d9..c39c1f7e98 100644 --- a/gnu/packages/patches/curl-use-ssl-cert-env.patch +++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch @@ -5,37 +5,37 @@ must be called when no other threads exist). This fixes network functionality in rust:cargo, and probably removes the need for other future workarounds. =================================================================== ---- curl-7.66.0.orig/lib/easy.c 2020-01-02 15:43:11.883921171 +0100 -+++ curl-7.66.0/lib/easy.c 2020-01-02 16:18:54.691882797 +0100 -@@ -134,6 +134,9 @@ - # pragma warning(default:4232) /* MSVC extension, dllimport identity */ +--- curl-8.5.0.orig/lib/easy.c 2023-12-17 00:36:32.400468561 -0500 ++++ curl-8.5.0/lib/easy.c 2023-12-17 00:39:08.898612331 -0500 +@@ -137,6 +137,9 @@ + static char *leakpointer; #endif - + +char * Curl_ssl_cert_dir = NULL; +char * Curl_ssl_cert_file = NULL; + /** * curl_global_init() globally initializes curl given a bitwise set of the * different features of what to initialize. -@@ -155,6 +158,9 @@ - #endif +@@ -163,6 +166,9 @@ + goto fail; } - + + Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR"); + Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE"); + if(!Curl_ssl_init()) { DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n")); - return CURLE_FAILED_INIT; -@@ -260,6 +266,9 @@ + goto fail; +@@ -287,6 +293,9 @@ Curl_ssl_cleanup(); Curl_resolver_global_cleanup(); - + + free(Curl_ssl_cert_dir); + free(Curl_ssl_cert_file); + - #ifdef WIN32 - Curl_win32_cleanup(init_flags); + #ifdef _WIN32 + Curl_win32_cleanup(easy_init_flags); #endif diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c --- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100 -- cgit 1.4.1