* [hardknott][PATCH] curl: remove metalink [not found] <16AF14C3714F85BD.30006@lists.openembedded.org> @ 2021-10-26 6:36 ` mingli.yu 2021-10-27 1:22 ` [OE-core] " Mittal, Anuj 0 siblings, 1 reply; 3+ messages in thread From: mingli.yu @ 2021-10-26 6:36 UTC (permalink / raw) To: openembedded-core From: Mingli Yu <mingli.yu@windriver.com> Backport patch to remove metalink [1] to fix below CVEs: - CVE-2021-22922 [2] - CVE-2021-22923 [3] [1] https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693 [2] https://curl.se/docs/CVE-2021-22922.html [3] https://curl.se/docs/CVE-2021-22923.html Signed-off-by: Mingli Yu <mingli.yu@windriver.com> --- .../curl/curl/0001-metalink-remove.patch | 194 ++++++++++++++++++ meta/recipes-support/curl/curl_7.75.0.bb | 2 +- 2 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/curl/curl/0001-metalink-remove.patch diff --git a/meta/recipes-support/curl/curl/0001-metalink-remove.patch b/meta/recipes-support/curl/curl/0001-metalink-remove.patch new file mode 100644 index 0000000000..a76e720215 --- /dev/null +++ b/meta/recipes-support/curl/curl/0001-metalink-remove.patch @@ -0,0 +1,194 @@ +From ef339d19b688e0d4c9b6ff2bd5b5cd54af9e1dbf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 26 Oct 2021 11:10:31 +0800 +Subject: [PATCH] metalink: remove + +Warning: this will make existing curl command lines that use metalink to +stop working. + +Reasons for removal: + +1. We've found several security problems and issues involving the + metalink support in curl. The issues are not detailed here. When + working on those, it become apparent to the team that several of the + problems are due to the system design, metalink library API and what + the metalink RFC says. They are very hard to fix on the curl side + only. + +2. The metalink usage with curl was only very briefly documented and was + not following the "normal" curl usage pattern in several ways, making + it surprising and non-intuitive which could lead to further security + issues. + +3. The metalink library was last updated 6 years ago and wasn't so + active the years before that either. An unmaintained library means + there's a security problem waiting to happen. This is probably reason + enough. + +4. Metalink requires an XML parsing library, which is complex code (even + the smaller alternatives) and to this day often gets security + updates. + +5. Metalink is not a widely used curl feature. In the 2020 curl user + survey, only 1.4% of the responders said that they'd are using it. In + 2021 that number was 1.2%. Searching the web also show very few + traces of it being used, even with other tools. + +6. The torrent format and associated technology clearly won for + downloading large files from multiple sources in parallel. + +Cloes #7176 + +CVE: CVE-2021-22922 CVE-2021-22923 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + configure.ac | 96 ++----------------------------------------------- + src/Makefile.am | 9 ++--- + 2 files changed, 5 insertions(+), 100 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 816f044..715fe26 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -162,7 +162,6 @@ curl_verbose_msg="enabled (--disable-verbose)" + curl_ldaps_msg="no (--enable-ldaps)" + curl_rtsp_msg="no (--enable-rtsp)" + curl_rtmp_msg="no (--with-librtmp)" +- curl_mtlnk_msg="no (--with-libmetalink)" + curl_psl_msg="no (--with-libpsl)" + curl_altsvc_msg="enabled"; + ssl_backends= +@@ -2895,99 +2894,8 @@ if test $with_libpsl != "no"; then + fi + AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "enabled"]) + +-dnl ********************************************************************** +-dnl Check for libmetalink +-dnl ********************************************************************** +- +-OPT_LIBMETALINK=no +- +-AC_ARG_WITH(libmetalink,dnl +-AC_HELP_STRING([--with-libmetalink=PATH],[where to look for libmetalink, PATH points to the installation root]) +-AC_HELP_STRING([--without-libmetalink], [disable libmetalink detection]), +- OPT_LIBMETALINK=$withval) +- +-if test X"$OPT_LIBMETALINK" != Xno; then +- +- addld="" +- addlib="" +- addcflags="" +- version="" +- libmetalinklib="" +- +- PKGTEST="no" +- if test "x$OPT_LIBMETALINK" = "xyes"; then +- dnl this is with no partiular path given +- PKGTEST="yes" +- CURL_CHECK_PKGCONFIG(libmetalink) +- else +- dnl When particular path is given, set PKG_CONFIG_LIBDIR using the path. +- LIBMETALINK_PCDIR="$OPT_LIBMETALINK/lib/pkgconfig" +- AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$LIBMETALINK_PCDIR"]) +- if test -f "$LIBMETALINK_PCDIR/libmetalink.pc"; then +- PKGTEST="yes" +- fi +- if test "$PKGTEST" = "yes"; then +- CURL_CHECK_PKGCONFIG(libmetalink, [$LIBMETALINK_PCDIR]) +- fi +- fi +- if test "$PKGTEST" = "yes" && test "$PKGCONFIG" != "no"; then +- addlib=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl +- $PKGCONFIG --libs-only-l libmetalink` +- addld=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl +- $PKGCONFIG --libs-only-L libmetalink` +- addcflags=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl +- $PKGCONFIG --cflags-only-I libmetalink` +- version=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl +- $PKGCONFIG --modversion libmetalink` +- libmetalinklib=`echo $addld | $SED -e 's/^-L//'` +- fi +- if test -n "$addlib"; then +- +- clean_CPPFLAGS="$CPPFLAGS" +- clean_LDFLAGS="$LDFLAGS" +- clean_LIBS="$LIBS" +- CPPFLAGS="$clean_CPPFLAGS $addcflags" +- LDFLAGS="$clean_LDFLAGS $addld" +- LIBS="$addlib $clean_LIBS" +- AC_MSG_CHECKING([if libmetalink is recent enough]) +- AC_LINK_IFELSE([ +- AC_LANG_PROGRAM([[ +-# include <metalink/metalink.h> +- ]],[[ +- if(0 != metalink_strerror(0)) /* added in 0.1.0 */ +- return 1; +- ]]) +- ],[ +- AC_MSG_RESULT([yes ($version)]) +- want_metalink="yes" +- ],[ +- AC_MSG_RESULT([no ($version)]) +- AC_MSG_NOTICE([libmetalink library defective or too old]) +- want_metalink="no" +- ]) +- if test "x$OPENSSL_ENABLED" != "x1" -a "x$USE_WINDOWS_SSPI" != "x1" \ +- -a "x$GNUTLS_ENABLED" != "x1" -a "x$NSS_ENABLED" != "x1" \ +- -a "x$SECURETRANSPORT_ENABLED" != "x1"; then +- AC_MSG_WARN([metalink support requires a compatible SSL/TLS backend]) +- want_metalink="no" +- fi +- CPPFLAGS="$clean_CPPFLAGS" +- LDFLAGS="$clean_LDFLAGS" +- LIBS="$clean_LIBS" +- if test "$want_metalink" = "yes"; then +- dnl finally libmetalink will be used +- AC_DEFINE(USE_METALINK, 1, [Define to enable metalink support]) +- LIBMETALINK_LIBS=$addlib +- LIBMETALINK_LDFLAGS=$addld +- LIBMETALINK_CPPFLAGS=$addcflags +- AC_SUBST([LIBMETALINK_LIBS]) +- AC_SUBST([LIBMETALINK_LDFLAGS]) +- AC_SUBST([LIBMETALINK_CPPFLAGS]) +- curl_mtlnk_msg="enabled" +- fi +- +- fi +-fi ++AC_ARG_WITH(libmetalink,, ++ AC_MSG_ERROR([--with-libmetalink no longer works!])) + + dnl ********************************************************************** + dnl Check for the presence of LIBSSH2 libraries and headers +diff --git a/src/Makefile.am b/src/Makefile.am +index dff248f..6b7547f 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -61,18 +61,15 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ + LIBS = $(BLANK_AT_MAKETIME) + + if USE_EXPLICIT_LIB_DEPS +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ @LIBCURL_LIBS@ ++curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ + else +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ ++curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ + endif + +-curl_LDFLAGS = @LIBMETALINK_LDFLAGS@ +-curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS) +- + # if unit tests are enabled, build a static library to link them with + if BUILD_UNITTESTS + noinst_LTLIBRARIES = libcurltool.la +-libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \ ++libcurltool_la_CPPFLAGS = $(AM_CPPFLAGS) \ + -DCURL_STATICLIB -DUNITTESTS + libcurltool_la_CFLAGS = + libcurltool_la_LDFLAGS = -static $(LINKFLAGS) +-- +2.17.1 + diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index d9818b6f07..10e44f2709 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb @@ -24,6 +24,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2021-22945.patch \ file://CVE-2021-22946.patch \ file://CVE-2021-22947.patch \ + file://0001-metalink-remove.patch \ " SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" @@ -73,7 +74,6 @@ EXTRA_OECONF = " \ --disable-ntlm-wb \ --enable-crypto-auth \ --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ - --without-libmetalink \ --without-libpsl \ --enable-debug \ --enable-optimize \ -- 2.17.1 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [hardknott][PATCH] curl: remove metalink 2021-10-26 6:36 ` [hardknott][PATCH] curl: remove metalink mingli.yu @ 2021-10-27 1:22 ` Mittal, Anuj 2021-11-29 8:35 ` Yu, Mingli 0 siblings, 1 reply; 3+ messages in thread From: Mittal, Anuj @ 2021-10-27 1:22 UTC (permalink / raw) To: openembedded-core, mingli.yu It looks like we build without metalink anyway ... so is this CVE applicable to us? Thanks, Anuj On Tue, 2021-10-26 at 14:36 +0800, Yu, Mingli wrote: > From: Mingli Yu <mingli.yu@windriver.com> > > Backport patch to remove metalink [1] to fix below CVEs: > - CVE-2021-22922 [2] > - CVE-2021-22923 [3] > > [1] > https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693 > [2] https://curl.se/docs/CVE-2021-22922.html > [3] https://curl.se/docs/CVE-2021-22923.html > > Signed-off-by: Mingli Yu <mingli.yu@windriver.com> > --- > .../curl/curl/0001-metalink-remove.patch | 194 > ++++++++++++++++++ > meta/recipes-support/curl/curl_7.75.0.bb | 2 +- > 2 files changed, 195 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-support/curl/curl/0001-metalink- > remove.patch > > diff --git a/meta/recipes-support/curl/curl/0001-metalink- > remove.patch b/meta/recipes-support/curl/curl/0001-metalink- > remove.patch > new file mode 100644 > index 0000000000..a76e720215 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/0001-metalink-remove.patch > @@ -0,0 +1,194 @@ > +From ef339d19b688e0d4c9b6ff2bd5b5cd54af9e1dbf Mon Sep 17 00:00:00 > 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Tue, 26 Oct 2021 11:10:31 +0800 > +Subject: [PATCH] metalink: remove > + > +Warning: this will make existing curl command lines that use > metalink to > +stop working. > + > +Reasons for removal: > + > +1. We've found several security problems and issues involving the > + metalink support in curl. The issues are not detailed here. When > + working on those, it become apparent to the team that several of > the > + problems are due to the system design, metalink library API and > what > + the metalink RFC says. They are very hard to fix on the curl side > + only. > + > +2. The metalink usage with curl was only very briefly documented and > was > + not following the "normal" curl usage pattern in several ways, > making > + it surprising and non-intuitive which could lead to further > security > + issues. > + > +3. The metalink library was last updated 6 years ago and wasn't so > + active the years before that either. An unmaintained library > means > + there's a security problem waiting to happen. This is probably > reason > + enough. > + > +4. Metalink requires an XML parsing library, which is complex code > (even > + the smaller alternatives) and to this day often gets security > + updates. > + > +5. Metalink is not a widely used curl feature. In the 2020 curl user > + survey, only 1.4% of the responders said that they'd are using > it. In > + 2021 that number was 1.2%. Searching the web also show very few > + traces of it being used, even with other tools. > + > +6. The torrent format and associated technology clearly won for > + downloading large files from multiple sources in parallel. > + > +Cloes #7176 > + > +CVE: CVE-2021-22922 CVE-2021-22923 > + > +Upstream-Status: Backport > [https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693 > ] > + > +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> > +--- > + configure.ac | 96 ++-------------------------------------------- > --- > + src/Makefile.am | 9 ++--- > + 2 files changed, 5 insertions(+), 100 deletions(-) > + > +diff --git a/configure.ac b/configure.ac > +index 816f044..715fe26 100755 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -162,7 +162,6 @@ curl_verbose_msg="enabled (--disable-verbose)" > + curl_ldaps_msg="no (--enable-ldaps)" > + curl_rtsp_msg="no (--enable-rtsp)" > + curl_rtmp_msg="no (--with-librtmp)" > +- curl_mtlnk_msg="no (--with-libmetalink)" > + curl_psl_msg="no (--with-libpsl)" > + curl_altsvc_msg="enabled"; > + ssl_backends= > +@@ -2895,99 +2894,8 @@ if test $with_libpsl != "no"; then > + fi > + AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "enabled"]) > + > +-dnl > ********************************************************************* > * > +-dnl Check for libmetalink > +-dnl > ********************************************************************* > * > +- > +-OPT_LIBMETALINK=no > +- > +-AC_ARG_WITH(libmetalink,dnl > +-AC_HELP_STRING([--with-libmetalink=PATH],[where to look for > libmetalink, PATH points to the installation root]) > +-AC_HELP_STRING([--without-libmetalink], [disable libmetalink > detection]), > +- OPT_LIBMETALINK=$withval) > +- > +-if test X"$OPT_LIBMETALINK" != Xno; then > +- > +- addld="" > +- addlib="" > +- addcflags="" > +- version="" > +- libmetalinklib="" > +- > +- PKGTEST="no" > +- if test "x$OPT_LIBMETALINK" = "xyes"; then > +- dnl this is with no partiular path given > +- PKGTEST="yes" > +- CURL_CHECK_PKGCONFIG(libmetalink) > +- else > +- dnl When particular path is given, set PKG_CONFIG_LIBDIR using > the path. > +- LIBMETALINK_PCDIR="$OPT_LIBMETALINK/lib/pkgconfig" > +- AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to > "$LIBMETALINK_PCDIR"]) > +- if test -f "$LIBMETALINK_PCDIR/libmetalink.pc"; then > +- PKGTEST="yes" > +- fi > +- if test "$PKGTEST" = "yes"; then > +- CURL_CHECK_PKGCONFIG(libmetalink, [$LIBMETALINK_PCDIR]) > +- fi > +- fi > +- if test "$PKGTEST" = "yes" && test "$PKGCONFIG" != "no"; then > +- addlib=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl > +- $PKGCONFIG --libs-only-l libmetalink` > +- addld=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl > +- $PKGCONFIG --libs-only-L libmetalink` > +- addcflags=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl > +- $PKGCONFIG --cflags-only-I libmetalink` > +- version=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl > +- $PKGCONFIG --modversion libmetalink` > +- libmetalinklib=`echo $addld | $SED -e 's/^-L//'` > +- fi > +- if test -n "$addlib"; then > +- > +- clean_CPPFLAGS="$CPPFLAGS" > +- clean_LDFLAGS="$LDFLAGS" > +- clean_LIBS="$LIBS" > +- CPPFLAGS="$clean_CPPFLAGS $addcflags" > +- LDFLAGS="$clean_LDFLAGS $addld" > +- LIBS="$addlib $clean_LIBS" > +- AC_MSG_CHECKING([if libmetalink is recent enough]) > +- AC_LINK_IFELSE([ > +- AC_LANG_PROGRAM([[ > +-# include <metalink/metalink.h> > +- ]],[[ > +- if(0 != metalink_strerror(0)) /* added in 0.1.0 */ > +- return 1; > +- ]]) > +- ],[ > +- AC_MSG_RESULT([yes ($version)]) > +- want_metalink="yes" > +- ],[ > +- AC_MSG_RESULT([no ($version)]) > +- AC_MSG_NOTICE([libmetalink library defective or too old]) > +- want_metalink="no" > +- ]) > +- if test "x$OPENSSL_ENABLED" != "x1" -a "x$USE_WINDOWS_SSPI" != > "x1" \ > +- -a "x$GNUTLS_ENABLED" != "x1" -a "x$NSS_ENABLED" != "x1" \ > +- -a "x$SECURETRANSPORT_ENABLED" != "x1"; then > +- AC_MSG_WARN([metalink support requires a compatible SSL/TLS > backend]) > +- want_metalink="no" > +- fi > +- CPPFLAGS="$clean_CPPFLAGS" > +- LDFLAGS="$clean_LDFLAGS" > +- LIBS="$clean_LIBS" > +- if test "$want_metalink" = "yes"; then > +- dnl finally libmetalink will be used > +- AC_DEFINE(USE_METALINK, 1, [Define to enable metalink > support]) > +- LIBMETALINK_LIBS=$addlib > +- LIBMETALINK_LDFLAGS=$addld > +- LIBMETALINK_CPPFLAGS=$addcflags > +- AC_SUBST([LIBMETALINK_LIBS]) > +- AC_SUBST([LIBMETALINK_LDFLAGS]) > +- AC_SUBST([LIBMETALINK_CPPFLAGS]) > +- curl_mtlnk_msg="enabled" > +- fi > +- > +- fi > +-fi > ++AC_ARG_WITH(libmetalink,, > ++ AC_MSG_ERROR([--with-libmetalink no longer works!])) > + > + dnl > ********************************************************************* > * > + dnl Check for the presence of LIBSSH2 libraries and headers > +diff --git a/src/Makefile.am b/src/Makefile.am > +index dff248f..6b7547f 100644 > +--- a/src/Makefile.am > ++++ b/src/Makefile.am > +@@ -61,18 +61,15 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ > + LIBS = $(BLANK_AT_MAKETIME) > + > + if USE_EXPLICIT_LIB_DEPS > +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ > @LIBCURL_LIBS@ > ++curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ > + else > +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ > @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ > ++curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@ > @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ > + endif > + > +-curl_LDFLAGS = @LIBMETALINK_LDFLAGS@ > +-curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS) > +- > + # if unit tests are enabled, build a static library to link them > with > + if BUILD_UNITTESTS > + noinst_LTLIBRARIES = libcurltool.la > +-libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \ > ++libcurltool_la_CPPFLAGS = $(AM_CPPFLAGS) \ > + -DCURL_STATICLIB -DUNITTESTS > + libcurltool_la_CFLAGS = > + libcurltool_la_LDFLAGS = -static $(LINKFLAGS) > +-- > +2.17.1 > + > diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes- > support/curl/curl_7.75.0.bb > index d9818b6f07..10e44f2709 100644 > --- a/meta/recipes-support/curl/curl_7.75.0.bb > +++ b/meta/recipes-support/curl/curl_7.75.0.bb > @@ -24,6 +24,7 @@ SRC_URI = > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2021-22945.patch \ > file://CVE-2021-22946.patch \ > file://CVE-2021-22947.patch \ > + file://0001-metalink-remove.patch \ > " > > SRC_URI[sha256sum] = > "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" > @@ -73,7 +74,6 @@ EXTRA_OECONF = " \ > --disable-ntlm-wb \ > --enable-crypto-auth \ > --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ > - --without-libmetalink \ > --without-libpsl \ > --enable-debug \ > --enable-optimize \ > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#157373): > https://lists.openembedded.org/g/openembedded-core/message/157373 > Mute This Topic: https://lists.openembedded.org/mt/86597181/3616702 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-core/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [hardknott][PATCH] curl: remove metalink 2021-10-27 1:22 ` [OE-core] " Mittal, Anuj @ 2021-11-29 8:35 ` Yu, Mingli 0 siblings, 0 replies; 3+ messages in thread From: Yu, Mingli @ 2021-11-29 8:35 UTC (permalink / raw) To: Mittal, Anuj, openembedded-core On 10/27/21 9:22 AM, Mittal, Anuj wrote: > [Please note: This e-mail is from an EXTERNAL e-mail address] > > It looks like we build without metalink anyway ... so is this CVE > applicable to us? Though we configure "--without-libmetalink" by default, but the user can modify the recipe manually to "--with-libmetalink". So we should remove all related configure logic related to metalink in configure.ac to ease the risk. Thanks, > > Thanks, > > Anuj > > On Tue, 2021-10-26 at 14:36 +0800, Yu, Mingli wrote: >> From: Mingli Yu <mingli.yu@windriver.com> >> >> Backport patch to remove metalink [1] to fix below CVEs: >> - CVE-2021-22922 [2] >> - CVE-2021-22923 [3] >> >> [1] >> https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693 >> [2] https://curl.se/docs/CVE-2021-22922.html >> [3] https://curl.se/docs/CVE-2021-22923.html >> >> Signed-off-by: Mingli Yu <mingli.yu@windriver.com> >> --- >> .../curl/curl/0001-metalink-remove.patch | 194 >> ++++++++++++++++++ >> meta/recipes-support/curl/curl_7.75.0.bb | 2 +- >> 2 files changed, 195 insertions(+), 1 deletion(-) >> create mode 100644 meta/recipes-support/curl/curl/0001-metalink- >> remove.patch >> >> diff --git a/meta/recipes-support/curl/curl/0001-metalink- >> remove.patch b/meta/recipes-support/curl/curl/0001-metalink- >> remove.patch >> new file mode 100644 >> index 0000000000..a76e720215 >> --- /dev/null >> +++ b/meta/recipes-support/curl/curl/0001-metalink-remove.patch >> @@ -0,0 +1,194 @@ >> +From ef339d19b688e0d4c9b6ff2bd5b5cd54af9e1dbf Mon Sep 17 00:00:00 >> 2001 >> +From: Daniel Stenberg <daniel@haxx.se> >> +Date: Tue, 26 Oct 2021 11:10:31 +0800 >> +Subject: [PATCH] metalink: remove >> + >> +Warning: this will make existing curl command lines that use >> metalink to >> +stop working. >> + >> +Reasons for removal: >> + >> +1. We've found several security problems and issues involving the >> + metalink support in curl. The issues are not detailed here. When >> + working on those, it become apparent to the team that several of >> the >> + problems are due to the system design, metalink library API and >> what >> + the metalink RFC says. They are very hard to fix on the curl side >> + only. >> + >> +2. The metalink usage with curl was only very briefly documented and >> was >> + not following the "normal" curl usage pattern in several ways, >> making >> + it surprising and non-intuitive which could lead to further >> security >> + issues. >> + >> +3. The metalink library was last updated 6 years ago and wasn't so >> + active the years before that either. An unmaintained library >> means >> + there's a security problem waiting to happen. This is probably >> reason >> + enough. >> + >> +4. Metalink requires an XML parsing library, which is complex code >> (even >> + the smaller alternatives) and to this day often gets security >> + updates. >> + >> +5. Metalink is not a widely used curl feature. In the 2020 curl user >> + survey, only 1.4% of the responders said that they'd are using >> it. In >> + 2021 that number was 1.2%. Searching the web also show very few >> + traces of it being used, even with other tools. >> + >> +6. The torrent format and associated technology clearly won for >> + downloading large files from multiple sources in parallel. >> + >> +Cloes #7176 >> + >> +CVE: CVE-2021-22922 CVE-2021-22923 >> + >> +Upstream-Status: Backport >> [https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693 >> ] >> + >> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> >> +--- >> + configure.ac | 96 ++-------------------------------------------- >> --- >> + src/Makefile.am | 9 ++--- >> + 2 files changed, 5 insertions(+), 100 deletions(-) >> + >> +diff --git a/configure.ac b/configure.ac >> +index 816f044..715fe26 100755 >> +--- a/configure.ac >> ++++ b/configure.ac >> +@@ -162,7 +162,6 @@ curl_verbose_msg="enabled (--disable-verbose)" >> + curl_ldaps_msg="no (--enable-ldaps)" >> + curl_rtsp_msg="no (--enable-rtsp)" >> + curl_rtmp_msg="no (--with-librtmp)" >> +- curl_mtlnk_msg="no (--with-libmetalink)" >> + curl_psl_msg="no (--with-libpsl)" >> + curl_altsvc_msg="enabled"; >> + ssl_backends= >> +@@ -2895,99 +2894,8 @@ if test $with_libpsl != "no"; then >> + fi >> + AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "enabled"]) >> + >> +-dnl >> ********************************************************************* >> * >> +-dnl Check for libmetalink >> +-dnl >> ********************************************************************* >> * >> +- >> +-OPT_LIBMETALINK=no >> +- >> +-AC_ARG_WITH(libmetalink,dnl >> +-AC_HELP_STRING([--with-libmetalink=PATH],[where to look for >> libmetalink, PATH points to the installation root]) >> +-AC_HELP_STRING([--without-libmetalink], [disable libmetalink >> detection]), >> +- OPT_LIBMETALINK=$withval) >> +- >> +-if test X"$OPT_LIBMETALINK" != Xno; then >> +- >> +- addld="" >> +- addlib="" >> +- addcflags="" >> +- version="" >> +- libmetalinklib="" >> +- >> +- PKGTEST="no" >> +- if test "x$OPT_LIBMETALINK" = "xyes"; then >> +- dnl this is with no partiular path given >> +- PKGTEST="yes" >> +- CURL_CHECK_PKGCONFIG(libmetalink) >> +- else >> +- dnl When particular path is given, set PKG_CONFIG_LIBDIR using >> the path. >> +- LIBMETALINK_PCDIR="$OPT_LIBMETALINK/lib/pkgconfig" >> +- AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to >> "$LIBMETALINK_PCDIR"]) >> +- if test -f "$LIBMETALINK_PCDIR/libmetalink.pc"; then >> +- PKGTEST="yes" >> +- fi >> +- if test "$PKGTEST" = "yes"; then >> +- CURL_CHECK_PKGCONFIG(libmetalink, [$LIBMETALINK_PCDIR]) >> +- fi >> +- fi >> +- if test "$PKGTEST" = "yes" && test "$PKGCONFIG" != "no"; then >> +- addlib=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl >> +- $PKGCONFIG --libs-only-l libmetalink` >> +- addld=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl >> +- $PKGCONFIG --libs-only-L libmetalink` >> +- addcflags=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl >> +- $PKGCONFIG --cflags-only-I libmetalink` >> +- version=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl >> +- $PKGCONFIG --modversion libmetalink` >> +- libmetalinklib=`echo $addld | $SED -e 's/^-L//'` >> +- fi >> +- if test -n "$addlib"; then >> +- >> +- clean_CPPFLAGS="$CPPFLAGS" >> +- clean_LDFLAGS="$LDFLAGS" >> +- clean_LIBS="$LIBS" >> +- CPPFLAGS="$clean_CPPFLAGS $addcflags" >> +- LDFLAGS="$clean_LDFLAGS $addld" >> +- LIBS="$addlib $clean_LIBS" >> +- AC_MSG_CHECKING([if libmetalink is recent enough]) >> +- AC_LINK_IFELSE([ >> +- AC_LANG_PROGRAM([[ >> +-# include <metalink/metalink.h> >> +- ]],[[ >> +- if(0 != metalink_strerror(0)) /* added in 0.1.0 */ >> +- return 1; >> +- ]]) >> +- ],[ >> +- AC_MSG_RESULT([yes ($version)]) >> +- want_metalink="yes" >> +- ],[ >> +- AC_MSG_RESULT([no ($version)]) >> +- AC_MSG_NOTICE([libmetalink library defective or too old]) >> +- want_metalink="no" >> +- ]) >> +- if test "x$OPENSSL_ENABLED" != "x1" -a "x$USE_WINDOWS_SSPI" != >> "x1" \ >> +- -a "x$GNUTLS_ENABLED" != "x1" -a "x$NSS_ENABLED" != "x1" \ >> +- -a "x$SECURETRANSPORT_ENABLED" != "x1"; then >> +- AC_MSG_WARN([metalink support requires a compatible SSL/TLS >> backend]) >> +- want_metalink="no" >> +- fi >> +- CPPFLAGS="$clean_CPPFLAGS" >> +- LDFLAGS="$clean_LDFLAGS" >> +- LIBS="$clean_LIBS" >> +- if test "$want_metalink" = "yes"; then >> +- dnl finally libmetalink will be used >> +- AC_DEFINE(USE_METALINK, 1, [Define to enable metalink >> support]) >> +- LIBMETALINK_LIBS=$addlib >> +- LIBMETALINK_LDFLAGS=$addld >> +- LIBMETALINK_CPPFLAGS=$addcflags >> +- AC_SUBST([LIBMETALINK_LIBS]) >> +- AC_SUBST([LIBMETALINK_LDFLAGS]) >> +- AC_SUBST([LIBMETALINK_CPPFLAGS]) >> +- curl_mtlnk_msg="enabled" >> +- fi >> +- >> +- fi >> +-fi >> ++AC_ARG_WITH(libmetalink,, >> ++ AC_MSG_ERROR([--with-libmetalink no longer works!])) >> + >> + dnl >> ********************************************************************* >> * >> + dnl Check for the presence of LIBSSH2 libraries and headers >> +diff --git a/src/Makefile.am b/src/Makefile.am >> +index dff248f..6b7547f 100644 >> +--- a/src/Makefile.am >> ++++ b/src/Makefile.am >> +@@ -61,18 +61,15 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ >> + LIBS = $(BLANK_AT_MAKETIME) >> + >> + if USE_EXPLICIT_LIB_DEPS >> +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ >> @LIBCURL_LIBS@ >> ++curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ >> + else >> +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ >> @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ >> ++curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@ >> @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ >> + endif >> + >> +-curl_LDFLAGS = @LIBMETALINK_LDFLAGS@ >> +-curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS) >> +- >> + # if unit tests are enabled, build a static library to link them >> with >> + if BUILD_UNITTESTS >> + noinst_LTLIBRARIES = libcurltool.la >> +-libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \ >> ++libcurltool_la_CPPFLAGS = $(AM_CPPFLAGS) \ >> + -DCURL_STATICLIB -DUNITTESTS >> + libcurltool_la_CFLAGS = >> + libcurltool_la_LDFLAGS = -static $(LINKFLAGS) >> +-- >> +2.17.1 >> + >> diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes- >> support/curl/curl_7.75.0.bb >> index d9818b6f07..10e44f2709 100644 >> --- a/meta/recipes-support/curl/curl_7.75.0.bb >> +++ b/meta/recipes-support/curl/curl_7.75.0.bb >> @@ -24,6 +24,7 @@ SRC_URI = >> "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ >> file://CVE-2021-22945.patch \ >> file://CVE-2021-22946.patch \ >> file://CVE-2021-22947.patch \ >> + file://0001-metalink-remove.patch \ >> " >> >> SRC_URI[sha256sum] = >> "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" >> @@ -73,7 +74,6 @@ EXTRA_OECONF = " \ >> --disable-ntlm-wb \ >> --enable-crypto-auth \ >> --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ >> - --without-libmetalink \ >> --without-libpsl \ >> --enable-debug \ >> --enable-optimize \ >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#157373): >> https://lists.openembedded.org/g/openembedded-core/message/157373 >> Mute This Topic: https://lists.openembedded.org/mt/86597181/3616702 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: >> https://lists.openembedded.org/g/openembedded-core/unsub [ >> anuj.mittal@intel.com] >> -=-=-=-=-=-=-=-=-=-=-=- >> > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-29 8:30 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <16AF14C3714F85BD.30006@lists.openembedded.org> 2021-10-26 6:36 ` [hardknott][PATCH] curl: remove metalink mingli.yu 2021-10-27 1:22 ` [OE-core] " Mittal, Anuj 2021-11-29 8:35 ` Yu, Mingli
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.