* [Buildroot] [PATCH] libcurl: security bump to version 7.86.0
@ 2022-10-27 10:37 Baruch Siach via buildroot
2022-10-28 6:45 ` Thomas Petazzoni via buildroot
2022-11-08 19:49 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Baruch Siach via buildroot @ 2022-10-27 10:37 UTC (permalink / raw)
To: buildroot; +Cc: Matt Weber
Version 7.85.0 fixes CVE-2022-35252: When curl retrieves and parses
cookies from an HTTP(S) server, it accepts cookies using control codes
(byte values below 32). When cookies that contain such control codes are
later sent back to an HTTP(S) server, it might make the server return a
400 response. Effectively allowing a "sister site" to deny service to
siblings.
Drop upstream patches and autoreconf.
Cc: Matt Weber <matthew.weber@collins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
...de-sched-h-if-available-to-fix-build.patch | 30 --------
| 70 -------------------
package/libcurl/libcurl.hash | 2 +-
package/libcurl/libcurl.mk | 4 +-
4 files changed, 2 insertions(+), 104 deletions(-)
delete mode 100644 package/libcurl/0001-easy_lock-h-include-sched-h-if-available-to-fix-build.patch
delete mode 100644 package/libcurl/0002-configure-check-for-the-stdatomic.h-header-in-config.patch
diff --git a/package/libcurl/0001-easy_lock-h-include-sched-h-if-available-to-fix-build.patch b/package/libcurl/0001-easy_lock-h-include-sched-h-if-available-to-fix-build.patch
deleted file mode 100644
index b5f0a8721824..000000000000
--- a/package/libcurl/0001-easy_lock-h-include-sched-h-if-available-to-fix-build.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From e2e7f54b7bea521fa8373095d0f43261a720cda0 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 27 Jun 2022 08:46:21 +0200
-Subject: [PATCH] easy_lock.h: include sched.h if available to fix build
-
-Patched-by: Harry Sintonen
-
-Closes #9054
-
-[Retrieved from:
-https://github.com/curl/curl/commit/e2e7f54b7bea521fa8373095d0f43261a720cda0]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- lib/easy_lock.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/lib/easy_lock.h b/lib/easy_lock.h
-index 819f50ce815b8..1f54289ceb2d3 100644
---- a/lib/easy_lock.h
-+++ b/lib/easy_lock.h
-@@ -36,6 +36,9 @@
-
- #elif defined (HAVE_ATOMIC)
- #include <stdatomic.h>
-+#if defined(HAVE_SCHED_YIELD)
-+#include <sched.h>
-+#endif
-
- #define curl_simple_lock atomic_bool
- #define CURL_SIMPLE_LOCK_INIT false
diff --git a/package/libcurl/0002-configure-check-for-the-stdatomic.h-header-in-config.patch b/package/libcurl/0002-configure-check-for-the-stdatomic.h-header-in-config.patch
deleted file mode 100644
index 083238819b1b..000000000000
--- a/package/libcurl/0002-configure-check-for-the-stdatomic.h-header-in-config.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From a68074b5db2a1fb637853b808e5b263c2ce9cbdd Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 28 Jun 2022 08:37:22 +0200
-Subject: [PATCH] configure: check for the stdatomic.h header in configure
-
-... and only set HAVE_ATOMIC if that header exists since we use
-typedefes set in it.
-
-Reported-by: Ryan Schmidt
-Fixes #9059
-Closes #9060
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
----
-Upstream status: commit a68074b5db2a1fb637853b808e5b263c2ce9cbdd
-
- m4/curl-functions.m4 | 36 +++++++++++++++++++-----------------
- 1 file changed, 19 insertions(+), 17 deletions(-)
-
-diff --git a/m4/curl-functions.m4 b/m4/curl-functions.m4
-index ec406f56aed8..f3e12a53a9fd 100644
---- a/m4/curl-functions.m4
-+++ b/m4/curl-functions.m4
-@@ -6570,24 +6570,26 @@ AC_DEFUN([CURL_COVERAGE],[
- ])
-
- dnl CURL_ATOMIC
--dnl --------------------------------------------------
--dnl Check if _Atomic works
-+dnl -------------------------------------------------------------
-+dnl Check if _Atomic works. But only check if stdatomic.h exists.
- dnl
- AC_DEFUN([CURL_ATOMIC],[
-- AC_MSG_CHECKING([if _Atomic is available])
-- AC_COMPILE_IFELSE([
-- AC_LANG_PROGRAM([[
-- $curl_includes_unistd
-- ]],[[
-- _Atomic int i = 0;
-- ]])
-- ],[
-- AC_MSG_RESULT([yes])
-- AC_DEFINE_UNQUOTED(HAVE_ATOMIC, 1,
-- [Define to 1 if you have _Atomic support.])
-- tst_atomic="yes"
-- ],[
-- AC_MSG_RESULT([no])
-- tst_atomic="no"
-+ AC_CHECK_HEADERS(stdatomic.h, [
-+ AC_MSG_CHECKING([if _Atomic is available])
-+ AC_COMPILE_IFELSE([
-+ AC_LANG_PROGRAM([[
-+ $curl_includes_unistd
-+ ]],[[
-+ _Atomic int i = 0;
-+ ]])
-+ ],[
-+ AC_MSG_RESULT([yes])
-+ AC_DEFINE_UNQUOTED(HAVE_ATOMIC, 1,
-+ [Define to 1 if you have _Atomic support.])
-+ tst_atomic="yes"
-+ ],[
-+ AC_MSG_RESULT([no])
-+ tst_atomic="no"
-+ ])
- ])
- ])
---
-2.35.1
-
diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 672591e470bd..c0e2378cac76 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@
# Locally calculated after checking pgp signature
# https://curl.se/download/curl-7.84.0.tar.xz.asc
# signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256 2d118b43f547bfe5bae806d8d47b4e596ea5b25a6c1f080aef49fbcd817c5db8 curl-7.84.0.tar.xz
+sha256 2d61116e5f485581f6d59865377df4463f2e788677ac43222b496d4e49fb627b curl-7.86.0.tar.xz
sha256 321b1a09ebc30410f2e837c072e5521cf7095b757193af4a7dae1086e36ed31a COPYING
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 9614ba514394..3c3ad082fc65 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBCURL_VERSION = 7.84.0
+LIBCURL_VERSION = 7.86.0
LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
LIBCURL_SITE = https://curl.se/download
LIBCURL_DEPENDENCIES = host-pkgconf \
@@ -15,8 +15,6 @@ LIBCURL_LICENSE_FILES = COPYING
LIBCURL_CPE_ID_VENDOR = haxx
LIBCURL_CPE_ID_PRODUCT = libcurl
LIBCURL_INSTALL_STAGING = YES
-# We are patching configure.ac
-LIBCURL_AUTORECONF = YES
# We disable NTLM support because it uses fork(), which doesn't work
# on non-MMU platforms. Moreover, this authentication method is
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] libcurl: security bump to version 7.86.0
2022-10-27 10:37 [Buildroot] [PATCH] libcurl: security bump to version 7.86.0 Baruch Siach via buildroot
@ 2022-10-28 6:45 ` Thomas Petazzoni via buildroot
2022-11-08 19:49 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-10-28 6:45 UTC (permalink / raw)
To: Baruch Siach via buildroot; +Cc: buildroot, Matt Weber
On Thu, 27 Oct 2022 13:37:17 +0300
Baruch Siach via buildroot <buildroot@buildroot.org> wrote:
> Version 7.85.0 fixes CVE-2022-35252: When curl retrieves and parses
> cookies from an HTTP(S) server, it accepts cookies using control codes
> (byte values below 32). When cookies that contain such control codes are
> later sent back to an HTTP(S) server, it might make the server return a
> 400 response. Effectively allowing a "sister site" to deny service to
> siblings.
>
> Drop upstream patches and autoreconf.
>
> Cc: Matt Weber <matthew.weber@collins.com>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> ---
> ...de-sched-h-if-available-to-fix-build.patch | 30 --------
> ...for-the-stdatomic.h-header-in-config.patch | 70 -------------------
> package/libcurl/libcurl.hash | 2 +-
> package/libcurl/libcurl.mk | 4 +-
> 4 files changed, 2 insertions(+), 104 deletions(-)
> delete mode 100644 package/libcurl/0001-easy_lock-h-include-sched-h-if-available-to-fix-build.patch
> delete mode 100644 package/libcurl/0002-configure-check-for-the-stdatomic.h-header-in-config.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] libcurl: security bump to version 7.86.0
2022-10-27 10:37 [Buildroot] [PATCH] libcurl: security bump to version 7.86.0 Baruch Siach via buildroot
2022-10-28 6:45 ` Thomas Petazzoni via buildroot
@ 2022-11-08 19:49 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-11-08 19:49 UTC (permalink / raw)
To: Baruch Siach via buildroot; +Cc: buildroot, Matt Weber
>>>>> "Baruch" == Baruch Siach via buildroot <buildroot@buildroot.org> writes:
> Version 7.85.0 fixes CVE-2022-35252: When curl retrieves and parses
> cookies from an HTTP(S) server, it accepts cookies using control codes
> (byte values below 32). When cookies that contain such control codes are
> later sent back to an HTTP(S) server, it might make the server return a
> 400 response. Effectively allowing a "sister site" to deny service to
> siblings.
> Drop upstream patches and autoreconf.
> Cc: Matt Weber <matthew.weber@collins.com>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-08 19:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-27 10:37 [Buildroot] [PATCH] libcurl: security bump to version 7.86.0 Baruch Siach via buildroot
2022-10-28 6:45 ` Thomas Petazzoni via buildroot
2022-11-08 19:49 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.