Fixes CVE-2021-22876 and CVE-2021-22890. * gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/curl.scm (curl/fixed): New variable. Apply patch. (curl)[replacement]: Graft. --- gnu/local.mk | 1 + gnu/packages/curl.scm | 15 +++++ .../patches/curl-7.76-use-ssl-cert-env.patch | 64 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
diff --git a/gnu/local.mk b/gnu/local.mk index 1a767a6c89..0d472072ae 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -920,6 +920,7 @@ dist_patch_DATA = \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ + %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-CVE-2017-12836.patch \ %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 730676875c..94dc51cfc5 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -62,6 +62,7 @@ (base32 "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr")) (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (replacement curl/fixed) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.2 MiB of man3 pages @@ -151,6 +152,20 @@ tunneling, and so on.") (name "curl-minimal") (inputs (alist-delete "openldap" (package-inputs curl)))))) +(define-public curl/fixed + (package + (inherit curl) + (version "7.76.0") + (source + (origin + (inherit (package-source curl)) + (uri (string-append "https://curl.haxx.se/download/curl-" + version ".tar.xz")) + (patches (search-patches "curl-7.76-use-ssl-cert-env.patch")) + (sha256 + (base32 + "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3")))))) + (define-public kurly (package (name "kurly") diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch new file mode 100644 index 0000000000..24be6e31d9 --- /dev/null +++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch @@ -0,0 +1,64 @@ +Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables +are fetched during initialization to preserve thread-safety (curl_global_init(3) +must be called when no other threads exist). + +This fixes network functionality in rust:cargo, and probably removes the need +for other future workarounds. +=================================================================== +--- curl-7.66.0.orig/lib/easy.c 2020-01-02 15:43:11.883921171 +0100 ++++ curl-7.66.0/lib/easy.c 2020-01-02 16:18:54.691882797 +0100 +@@ -134,6 +134,9 @@ + # pragma warning(default:4232) /* MSVC extension, dllimport identity */ + #endif + ++char * Curl_ssl_cert_dir = NULL; ++char * Curl_ssl_cert_file = NULL; ++ + /** + * curl_global_init() globally initializes curl given a bitwise set of the + * different features of what to initialize. +@@ -155,6 +158,9 @@ + #endif + } + ++ Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR"); ++ Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE"); ++ + if(!Curl_ssl_init()) { + DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n")); + return CURLE_FAILED_INIT; +@@ -260,6 +266,9 @@ + Curl_ssl_cleanup(); + Curl_resolver_global_cleanup(); + ++ free(Curl_ssl_cert_dir); ++ free(Curl_ssl_cert_file); ++ + #ifdef WIN32 + Curl_win32_cleanup(init_flags); + #endif +diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c +--- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100 ++++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100 +@@ -524,6 +524,21 @@ + if(result) + return result; + #endif ++ extern char * Curl_ssl_cert_dir; ++ extern char * Curl_ssl_cert_file; ++ if(Curl_ssl_cert_dir) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) ++ return result; ++ } ++ ++ if(Curl_ssl_cert_file) { ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) ++ return result; ++ } + } + + set->wildcard_enabled = FALSE; -- 2.31.1