#47563 curl is vulnerable to CVE-2021-22890 and CVE-2021-22876

Message #28 received at 47563@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 19:24:21 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 15:24:21 2021
Received: from localhost ([127.0.0.1]:32865 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lSPP2-0001Mm-Mk
	for submit@debbugs.gnu.org; Fri, 02 Apr 2021 15:24:21 -0400
Received: from mail.zaclys.net ([178.33.93.72]:42383)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lSPP0-0001MV-GZ
 for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 15:24:19 -0400
Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132JOBrF005560
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Fri, 2 Apr 2021 21:24:11 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132JOBrF005560
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617391452;
 bh=+eV/yYXsdDsAY2TqsnKJlV3+69gMcFgbnnM4cJ8vyi8=;
 h=From:To:Cc:Subject:Date:From;
 b=P0lvHiEAxIhF13Kmqzh4vDiGSpdXrRapo+z3yzjuot8H9xId413Ep69eAft90aWbe
 PJevZDNptxpdukkpKNqlRKr6NbzzKvAUZkhwllN2kCGl9qebyDzuCtamquX6Z20Uc6
 a+Hduz/xZ7s7QfmjdR6ogmoM4YMe23lbjG8j7r3U=
From: Léo Le Bouter <lle-bout@zaclys.net>
To: 47563@debbugs.gnu.org
Subject: [PATCH] gnu: curl: Update to 7.76.0 [security fixes].
Date: Fri,  2 Apr 2021 21:24:09 +0200
Message-Id: <20210402192409.22018-1-lle-bout@zaclys.net>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47563
Cc: Léo Le Bouter <lle-bout@zaclys.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Fixes CVE-2021-22876 and CVE-2021-22890.

* gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/curl.scm (curl/fixed): New variable. Apply patch.
(curl)[replacement]: Graft.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/curl.scm                         | 14 ++++
 .../patches/curl-7.76-use-ssl-cert-env.patch  | 64 +++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 1a767a6c89..0d472072ae 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -920,6 +920,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
+  %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch	\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-CVE-2017-12836.patch		\
   %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 730676875c..5608d556e7 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -62,6 +62,7 @@
               (base32
                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
              (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+   (replacement curl/fixed)
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -151,6 +152,19 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
+(define-public curl/fixed
+  (package
+    (inherit curl)
+    (version "7.76.0")
+    (source
+     (origin
+       (inherit (package-source curl))
+       (uri (string-append "https://curl.haxx.se/download/curl-"
+                           version ".tar.xz"))
+       (sha256
+        (base32
+         "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3"))))))
+
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..24be6e31d9
--- /dev/null
+++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
-- 
2.31.1

Send a report that this bug log contains spam.