* [hardknott][PATCH] curl: remove metalink
[not found] <16AF14C3714F85BD.30006@lists.openembedded.org>
@ 2021-10-26 6:36 ` mingli.yu
2021-10-27 1:22 ` [OE-core] " Mittal, Anuj
0 siblings, 1 reply; 3+ messages in thread
From: mingli.yu @ 2021-10-26 6:36 UTC (permalink / raw)
To: openembedded-core
From: Mingli Yu <mingli.yu@windriver.com>
Backport patch to remove metalink [1] to fix below CVEs:
- CVE-2021-22922 [2]
- CVE-2021-22923 [3]
[1] https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693
[2] https://curl.se/docs/CVE-2021-22922.html
[3] https://curl.se/docs/CVE-2021-22923.html
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
.../curl/curl/0001-metalink-remove.patch | 194 ++++++++++++++++++
meta/recipes-support/curl/curl_7.75.0.bb | 2 +-
2 files changed, 195 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/curl/curl/0001-metalink-remove.patch
diff --git a/meta/recipes-support/curl/curl/0001-metalink-remove.patch b/meta/recipes-support/curl/curl/0001-metalink-remove.patch
new file mode 100644
index 0000000000..a76e720215
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-metalink-remove.patch
@@ -0,0 +1,194 @@
+From ef339d19b688e0d4c9b6ff2bd5b5cd54af9e1dbf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 26 Oct 2021 11:10:31 +0800
+Subject: [PATCH] metalink: remove
+
+Warning: this will make existing curl command lines that use metalink to
+stop working.
+
+Reasons for removal:
+
+1. We've found several security problems and issues involving the
+ metalink support in curl. The issues are not detailed here. When
+ working on those, it become apparent to the team that several of the
+ problems are due to the system design, metalink library API and what
+ the metalink RFC says. They are very hard to fix on the curl side
+ only.
+
+2. The metalink usage with curl was only very briefly documented and was
+ not following the "normal" curl usage pattern in several ways, making
+ it surprising and non-intuitive which could lead to further security
+ issues.
+
+3. The metalink library was last updated 6 years ago and wasn't so
+ active the years before that either. An unmaintained library means
+ there's a security problem waiting to happen. This is probably reason
+ enough.
+
+4. Metalink requires an XML parsing library, which is complex code (even
+ the smaller alternatives) and to this day often gets security
+ updates.
+
+5. Metalink is not a widely used curl feature. In the 2020 curl user
+ survey, only 1.4% of the responders said that they'd are using it. In
+ 2021 that number was 1.2%. Searching the web also show very few
+ traces of it being used, even with other tools.
+
+6. The torrent format and associated technology clearly won for
+ downloading large files from multiple sources in parallel.
+
+Cloes #7176
+
+CVE: CVE-2021-22922 CVE-2021-22923
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ configure.ac | 96 ++-----------------------------------------------
+ src/Makefile.am | 9 ++---
+ 2 files changed, 5 insertions(+), 100 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 816f044..715fe26 100755
+--- a/configure.ac
++++ b/configure.ac
+@@ -162,7 +162,6 @@ curl_verbose_msg="enabled (--disable-verbose)"
+ curl_ldaps_msg="no (--enable-ldaps)"
+ curl_rtsp_msg="no (--enable-rtsp)"
+ curl_rtmp_msg="no (--with-librtmp)"
+- curl_mtlnk_msg="no (--with-libmetalink)"
+ curl_psl_msg="no (--with-libpsl)"
+ curl_altsvc_msg="enabled";
+ ssl_backends=
+@@ -2895,99 +2894,8 @@ if test $with_libpsl != "no"; then
+ fi
+ AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "enabled"])
+
+-dnl **********************************************************************
+-dnl Check for libmetalink
+-dnl **********************************************************************
+-
+-OPT_LIBMETALINK=no
+-
+-AC_ARG_WITH(libmetalink,dnl
+-AC_HELP_STRING([--with-libmetalink=PATH],[where to look for libmetalink, PATH points to the installation root])
+-AC_HELP_STRING([--without-libmetalink], [disable libmetalink detection]),
+- OPT_LIBMETALINK=$withval)
+-
+-if test X"$OPT_LIBMETALINK" != Xno; then
+-
+- addld=""
+- addlib=""
+- addcflags=""
+- version=""
+- libmetalinklib=""
+-
+- PKGTEST="no"
+- if test "x$OPT_LIBMETALINK" = "xyes"; then
+- dnl this is with no partiular path given
+- PKGTEST="yes"
+- CURL_CHECK_PKGCONFIG(libmetalink)
+- else
+- dnl When particular path is given, set PKG_CONFIG_LIBDIR using the path.
+- LIBMETALINK_PCDIR="$OPT_LIBMETALINK/lib/pkgconfig"
+- AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$LIBMETALINK_PCDIR"])
+- if test -f "$LIBMETALINK_PCDIR/libmetalink.pc"; then
+- PKGTEST="yes"
+- fi
+- if test "$PKGTEST" = "yes"; then
+- CURL_CHECK_PKGCONFIG(libmetalink, [$LIBMETALINK_PCDIR])
+- fi
+- fi
+- if test "$PKGTEST" = "yes" && test "$PKGCONFIG" != "no"; then
+- addlib=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
+- $PKGCONFIG --libs-only-l libmetalink`
+- addld=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
+- $PKGCONFIG --libs-only-L libmetalink`
+- addcflags=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
+- $PKGCONFIG --cflags-only-I libmetalink`
+- version=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
+- $PKGCONFIG --modversion libmetalink`
+- libmetalinklib=`echo $addld | $SED -e 's/^-L//'`
+- fi
+- if test -n "$addlib"; then
+-
+- clean_CPPFLAGS="$CPPFLAGS"
+- clean_LDFLAGS="$LDFLAGS"
+- clean_LIBS="$LIBS"
+- CPPFLAGS="$clean_CPPFLAGS $addcflags"
+- LDFLAGS="$clean_LDFLAGS $addld"
+- LIBS="$addlib $clean_LIBS"
+- AC_MSG_CHECKING([if libmetalink is recent enough])
+- AC_LINK_IFELSE([
+- AC_LANG_PROGRAM([[
+-# include <metalink/metalink.h>
+- ]],[[
+- if(0 != metalink_strerror(0)) /* added in 0.1.0 */
+- return 1;
+- ]])
+- ],[
+- AC_MSG_RESULT([yes ($version)])
+- want_metalink="yes"
+- ],[
+- AC_MSG_RESULT([no ($version)])
+- AC_MSG_NOTICE([libmetalink library defective or too old])
+- want_metalink="no"
+- ])
+- if test "x$OPENSSL_ENABLED" != "x1" -a "x$USE_WINDOWS_SSPI" != "x1" \
+- -a "x$GNUTLS_ENABLED" != "x1" -a "x$NSS_ENABLED" != "x1" \
+- -a "x$SECURETRANSPORT_ENABLED" != "x1"; then
+- AC_MSG_WARN([metalink support requires a compatible SSL/TLS backend])
+- want_metalink="no"
+- fi
+- CPPFLAGS="$clean_CPPFLAGS"
+- LDFLAGS="$clean_LDFLAGS"
+- LIBS="$clean_LIBS"
+- if test "$want_metalink" = "yes"; then
+- dnl finally libmetalink will be used
+- AC_DEFINE(USE_METALINK, 1, [Define to enable metalink support])
+- LIBMETALINK_LIBS=$addlib
+- LIBMETALINK_LDFLAGS=$addld
+- LIBMETALINK_CPPFLAGS=$addcflags
+- AC_SUBST([LIBMETALINK_LIBS])
+- AC_SUBST([LIBMETALINK_LDFLAGS])
+- AC_SUBST([LIBMETALINK_CPPFLAGS])
+- curl_mtlnk_msg="enabled"
+- fi
+-
+- fi
+-fi
++AC_ARG_WITH(libmetalink,,
++ AC_MSG_ERROR([--with-libmetalink no longer works!]))
+
+ dnl **********************************************************************
+ dnl Check for the presence of LIBSSH2 libraries and headers
+diff --git a/src/Makefile.am b/src/Makefile.am
+index dff248f..6b7547f 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -61,18 +61,15 @@ CFLAGS += @CURL_CFLAG_EXTRAS@
+ LIBS = $(BLANK_AT_MAKETIME)
+
+ if USE_EXPLICIT_LIB_DEPS
+-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ @LIBCURL_LIBS@
++curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
+ else
+-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
++curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
+ endif
+
+-curl_LDFLAGS = @LIBMETALINK_LDFLAGS@
+-curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS)
+-
+ # if unit tests are enabled, build a static library to link them with
+ if BUILD_UNITTESTS
+ noinst_LTLIBRARIES = libcurltool.la
+-libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \
++libcurltool_la_CPPFLAGS = $(AM_CPPFLAGS) \
+ -DCURL_STATICLIB -DUNITTESTS
+ libcurltool_la_CFLAGS =
+ libcurltool_la_LDFLAGS = -static $(LINKFLAGS)
+--
+2.17.1
+
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index d9818b6f07..10e44f2709 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2021-22945.patch \
file://CVE-2021-22946.patch \
file://CVE-2021-22947.patch \
+ file://0001-metalink-remove.patch \
"
SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
@@ -73,7 +74,6 @@ EXTRA_OECONF = " \
--disable-ntlm-wb \
--enable-crypto-auth \
--with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
- --without-libmetalink \
--without-libpsl \
--enable-debug \
--enable-optimize \
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [hardknott][PATCH] curl: remove metalink
2021-10-26 6:36 ` [hardknott][PATCH] curl: remove metalink mingli.yu
@ 2021-10-27 1:22 ` Mittal, Anuj
2021-11-29 8:35 ` Yu, Mingli
0 siblings, 1 reply; 3+ messages in thread
From: Mittal, Anuj @ 2021-10-27 1:22 UTC (permalink / raw)
To: openembedded-core, mingli.yu
It looks like we build without metalink anyway ... so is this CVE
applicable to us?
Thanks,
Anuj
On Tue, 2021-10-26 at 14:36 +0800, Yu, Mingli wrote:
> From: Mingli Yu <mingli.yu@windriver.com>
>
> Backport patch to remove metalink [1] to fix below CVEs:
> - CVE-2021-22922 [2]
> - CVE-2021-22923 [3]
>
> [1]
> https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693
> [2] https://curl.se/docs/CVE-2021-22922.html
> [3] https://curl.se/docs/CVE-2021-22923.html
>
> Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
> ---
> .../curl/curl/0001-metalink-remove.patch | 194
> ++++++++++++++++++
> meta/recipes-support/curl/curl_7.75.0.bb | 2 +-
> 2 files changed, 195 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-support/curl/curl/0001-metalink-
> remove.patch
>
> diff --git a/meta/recipes-support/curl/curl/0001-metalink-
> remove.patch b/meta/recipes-support/curl/curl/0001-metalink-
> remove.patch
> new file mode 100644
> index 0000000000..a76e720215
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/0001-metalink-remove.patch
> @@ -0,0 +1,194 @@
> +From ef339d19b688e0d4c9b6ff2bd5b5cd54af9e1dbf Mon Sep 17 00:00:00
> 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Tue, 26 Oct 2021 11:10:31 +0800
> +Subject: [PATCH] metalink: remove
> +
> +Warning: this will make existing curl command lines that use
> metalink to
> +stop working.
> +
> +Reasons for removal:
> +
> +1. We've found several security problems and issues involving the
> + metalink support in curl. The issues are not detailed here. When
> + working on those, it become apparent to the team that several of
> the
> + problems are due to the system design, metalink library API and
> what
> + the metalink RFC says. They are very hard to fix on the curl side
> + only.
> +
> +2. The metalink usage with curl was only very briefly documented and
> was
> + not following the "normal" curl usage pattern in several ways,
> making
> + it surprising and non-intuitive which could lead to further
> security
> + issues.
> +
> +3. The metalink library was last updated 6 years ago and wasn't so
> + active the years before that either. An unmaintained library
> means
> + there's a security problem waiting to happen. This is probably
> reason
> + enough.
> +
> +4. Metalink requires an XML parsing library, which is complex code
> (even
> + the smaller alternatives) and to this day often gets security
> + updates.
> +
> +5. Metalink is not a widely used curl feature. In the 2020 curl user
> + survey, only 1.4% of the responders said that they'd are using
> it. In
> + 2021 that number was 1.2%. Searching the web also show very few
> + traces of it being used, even with other tools.
> +
> +6. The torrent format and associated technology clearly won for
> + downloading large files from multiple sources in parallel.
> +
> +Cloes #7176
> +
> +CVE: CVE-2021-22922 CVE-2021-22923
> +
> +Upstream-Status: Backport
> [https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693
> ]
> +
> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
> +---
> + configure.ac | 96 ++--------------------------------------------
> ---
> + src/Makefile.am | 9 ++---
> + 2 files changed, 5 insertions(+), 100 deletions(-)
> +
> +diff --git a/configure.ac b/configure.ac
> +index 816f044..715fe26 100755
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -162,7 +162,6 @@ curl_verbose_msg="enabled (--disable-verbose)"
> + curl_ldaps_msg="no (--enable-ldaps)"
> + curl_rtsp_msg="no (--enable-rtsp)"
> + curl_rtmp_msg="no (--with-librtmp)"
> +- curl_mtlnk_msg="no (--with-libmetalink)"
> + curl_psl_msg="no (--with-libpsl)"
> + curl_altsvc_msg="enabled";
> + ssl_backends=
> +@@ -2895,99 +2894,8 @@ if test $with_libpsl != "no"; then
> + fi
> + AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "enabled"])
> +
> +-dnl
> *********************************************************************
> *
> +-dnl Check for libmetalink
> +-dnl
> *********************************************************************
> *
> +-
> +-OPT_LIBMETALINK=no
> +-
> +-AC_ARG_WITH(libmetalink,dnl
> +-AC_HELP_STRING([--with-libmetalink=PATH],[where to look for
> libmetalink, PATH points to the installation root])
> +-AC_HELP_STRING([--without-libmetalink], [disable libmetalink
> detection]),
> +- OPT_LIBMETALINK=$withval)
> +-
> +-if test X"$OPT_LIBMETALINK" != Xno; then
> +-
> +- addld=""
> +- addlib=""
> +- addcflags=""
> +- version=""
> +- libmetalinklib=""
> +-
> +- PKGTEST="no"
> +- if test "x$OPT_LIBMETALINK" = "xyes"; then
> +- dnl this is with no partiular path given
> +- PKGTEST="yes"
> +- CURL_CHECK_PKGCONFIG(libmetalink)
> +- else
> +- dnl When particular path is given, set PKG_CONFIG_LIBDIR using
> the path.
> +- LIBMETALINK_PCDIR="$OPT_LIBMETALINK/lib/pkgconfig"
> +- AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to
> "$LIBMETALINK_PCDIR"])
> +- if test -f "$LIBMETALINK_PCDIR/libmetalink.pc"; then
> +- PKGTEST="yes"
> +- fi
> +- if test "$PKGTEST" = "yes"; then
> +- CURL_CHECK_PKGCONFIG(libmetalink, [$LIBMETALINK_PCDIR])
> +- fi
> +- fi
> +- if test "$PKGTEST" = "yes" && test "$PKGCONFIG" != "no"; then
> +- addlib=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
> +- $PKGCONFIG --libs-only-l libmetalink`
> +- addld=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
> +- $PKGCONFIG --libs-only-L libmetalink`
> +- addcflags=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
> +- $PKGCONFIG --cflags-only-I libmetalink`
> +- version=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
> +- $PKGCONFIG --modversion libmetalink`
> +- libmetalinklib=`echo $addld | $SED -e 's/^-L//'`
> +- fi
> +- if test -n "$addlib"; then
> +-
> +- clean_CPPFLAGS="$CPPFLAGS"
> +- clean_LDFLAGS="$LDFLAGS"
> +- clean_LIBS="$LIBS"
> +- CPPFLAGS="$clean_CPPFLAGS $addcflags"
> +- LDFLAGS="$clean_LDFLAGS $addld"
> +- LIBS="$addlib $clean_LIBS"
> +- AC_MSG_CHECKING([if libmetalink is recent enough])
> +- AC_LINK_IFELSE([
> +- AC_LANG_PROGRAM([[
> +-# include <metalink/metalink.h>
> +- ]],[[
> +- if(0 != metalink_strerror(0)) /* added in 0.1.0 */
> +- return 1;
> +- ]])
> +- ],[
> +- AC_MSG_RESULT([yes ($version)])
> +- want_metalink="yes"
> +- ],[
> +- AC_MSG_RESULT([no ($version)])
> +- AC_MSG_NOTICE([libmetalink library defective or too old])
> +- want_metalink="no"
> +- ])
> +- if test "x$OPENSSL_ENABLED" != "x1" -a "x$USE_WINDOWS_SSPI" !=
> "x1" \
> +- -a "x$GNUTLS_ENABLED" != "x1" -a "x$NSS_ENABLED" != "x1" \
> +- -a "x$SECURETRANSPORT_ENABLED" != "x1"; then
> +- AC_MSG_WARN([metalink support requires a compatible SSL/TLS
> backend])
> +- want_metalink="no"
> +- fi
> +- CPPFLAGS="$clean_CPPFLAGS"
> +- LDFLAGS="$clean_LDFLAGS"
> +- LIBS="$clean_LIBS"
> +- if test "$want_metalink" = "yes"; then
> +- dnl finally libmetalink will be used
> +- AC_DEFINE(USE_METALINK, 1, [Define to enable metalink
> support])
> +- LIBMETALINK_LIBS=$addlib
> +- LIBMETALINK_LDFLAGS=$addld
> +- LIBMETALINK_CPPFLAGS=$addcflags
> +- AC_SUBST([LIBMETALINK_LIBS])
> +- AC_SUBST([LIBMETALINK_LDFLAGS])
> +- AC_SUBST([LIBMETALINK_CPPFLAGS])
> +- curl_mtlnk_msg="enabled"
> +- fi
> +-
> +- fi
> +-fi
> ++AC_ARG_WITH(libmetalink,,
> ++ AC_MSG_ERROR([--with-libmetalink no longer works!]))
> +
> + dnl
> *********************************************************************
> *
> + dnl Check for the presence of LIBSSH2 libraries and headers
> +diff --git a/src/Makefile.am b/src/Makefile.am
> +index dff248f..6b7547f 100644
> +--- a/src/Makefile.am
> ++++ b/src/Makefile.am
> +@@ -61,18 +61,15 @@ CFLAGS += @CURL_CFLAG_EXTRAS@
> + LIBS = $(BLANK_AT_MAKETIME)
> +
> + if USE_EXPLICIT_LIB_DEPS
> +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@
> @LIBCURL_LIBS@
> ++curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
> + else
> +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@
> @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
> ++curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@
> @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
> + endif
> +
> +-curl_LDFLAGS = @LIBMETALINK_LDFLAGS@
> +-curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS)
> +-
> + # if unit tests are enabled, build a static library to link them
> with
> + if BUILD_UNITTESTS
> + noinst_LTLIBRARIES = libcurltool.la
> +-libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \
> ++libcurltool_la_CPPFLAGS = $(AM_CPPFLAGS) \
> + -DCURL_STATICLIB -DUNITTESTS
> + libcurltool_la_CFLAGS =
> + libcurltool_la_LDFLAGS = -static $(LINKFLAGS)
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-
> support/curl/curl_7.75.0.bb
> index d9818b6f07..10e44f2709 100644
> --- a/meta/recipes-support/curl/curl_7.75.0.bb
> +++ b/meta/recipes-support/curl/curl_7.75.0.bb
> @@ -24,6 +24,7 @@ SRC_URI =
> "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> file://CVE-2021-22945.patch \
> file://CVE-2021-22946.patch \
> file://CVE-2021-22947.patch \
> + file://0001-metalink-remove.patch \
> "
>
> SRC_URI[sha256sum] =
> "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
> @@ -73,7 +74,6 @@ EXTRA_OECONF = " \
> --disable-ntlm-wb \
> --enable-crypto-auth \
> --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
> - --without-libmetalink \
> --without-libpsl \
> --enable-debug \
> --enable-optimize \
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157373):
> https://lists.openembedded.org/g/openembedded-core/message/157373
> Mute This Topic: https://lists.openembedded.org/mt/86597181/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [hardknott][PATCH] curl: remove metalink
2021-10-27 1:22 ` [OE-core] " Mittal, Anuj
@ 2021-11-29 8:35 ` Yu, Mingli
0 siblings, 0 replies; 3+ messages in thread
From: Yu, Mingli @ 2021-11-29 8:35 UTC (permalink / raw)
To: Mittal, Anuj, openembedded-core
On 10/27/21 9:22 AM, Mittal, Anuj wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
>
> It looks like we build without metalink anyway ... so is this CVE
> applicable to us?
Though we configure "--without-libmetalink" by default, but the user can
modify the recipe manually to "--with-libmetalink". So we should remove
all related configure logic related to metalink in configure.ac to ease
the risk.
Thanks,
>
> Thanks,
>
> Anuj
>
> On Tue, 2021-10-26 at 14:36 +0800, Yu, Mingli wrote:
>> From: Mingli Yu <mingli.yu@windriver.com>
>>
>> Backport patch to remove metalink [1] to fix below CVEs:
>> - CVE-2021-22922 [2]
>> - CVE-2021-22923 [3]
>>
>> [1]
>> https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693
>> [2] https://curl.se/docs/CVE-2021-22922.html
>> [3] https://curl.se/docs/CVE-2021-22923.html
>>
>> Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
>> ---
>> .../curl/curl/0001-metalink-remove.patch | 194
>> ++++++++++++++++++
>> meta/recipes-support/curl/curl_7.75.0.bb | 2 +-
>> 2 files changed, 195 insertions(+), 1 deletion(-)
>> create mode 100644 meta/recipes-support/curl/curl/0001-metalink-
>> remove.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/0001-metalink-
>> remove.patch b/meta/recipes-support/curl/curl/0001-metalink-
>> remove.patch
>> new file mode 100644
>> index 0000000000..a76e720215
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/0001-metalink-remove.patch
>> @@ -0,0 +1,194 @@
>> +From ef339d19b688e0d4c9b6ff2bd5b5cd54af9e1dbf Mon Sep 17 00:00:00
>> 2001
>> +From: Daniel Stenberg <daniel@haxx.se>
>> +Date: Tue, 26 Oct 2021 11:10:31 +0800
>> +Subject: [PATCH] metalink: remove
>> +
>> +Warning: this will make existing curl command lines that use
>> metalink to
>> +stop working.
>> +
>> +Reasons for removal:
>> +
>> +1. We've found several security problems and issues involving the
>> + metalink support in curl. The issues are not detailed here. When
>> + working on those, it become apparent to the team that several of
>> the
>> + problems are due to the system design, metalink library API and
>> what
>> + the metalink RFC says. They are very hard to fix on the curl side
>> + only.
>> +
>> +2. The metalink usage with curl was only very briefly documented and
>> was
>> + not following the "normal" curl usage pattern in several ways,
>> making
>> + it surprising and non-intuitive which could lead to further
>> security
>> + issues.
>> +
>> +3. The metalink library was last updated 6 years ago and wasn't so
>> + active the years before that either. An unmaintained library
>> means
>> + there's a security problem waiting to happen. This is probably
>> reason
>> + enough.
>> +
>> +4. Metalink requires an XML parsing library, which is complex code
>> (even
>> + the smaller alternatives) and to this day often gets security
>> + updates.
>> +
>> +5. Metalink is not a widely used curl feature. In the 2020 curl user
>> + survey, only 1.4% of the responders said that they'd are using
>> it. In
>> + 2021 that number was 1.2%. Searching the web also show very few
>> + traces of it being used, even with other tools.
>> +
>> +6. The torrent format and associated technology clearly won for
>> + downloading large files from multiple sources in parallel.
>> +
>> +Cloes #7176
>> +
>> +CVE: CVE-2021-22922 CVE-2021-22923
>> +
>> +Upstream-Status: Backport
>> [https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693
>> ]
>> +
>> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
>> +---
>> + configure.ac | 96 ++--------------------------------------------
>> ---
>> + src/Makefile.am | 9 ++---
>> + 2 files changed, 5 insertions(+), 100 deletions(-)
>> +
>> +diff --git a/configure.ac b/configure.ac
>> +index 816f044..715fe26 100755
>> +--- a/configure.ac
>> ++++ b/configure.ac
>> +@@ -162,7 +162,6 @@ curl_verbose_msg="enabled (--disable-verbose)"
>> + curl_ldaps_msg="no (--enable-ldaps)"
>> + curl_rtsp_msg="no (--enable-rtsp)"
>> + curl_rtmp_msg="no (--with-librtmp)"
>> +- curl_mtlnk_msg="no (--with-libmetalink)"
>> + curl_psl_msg="no (--with-libpsl)"
>> + curl_altsvc_msg="enabled";
>> + ssl_backends=
>> +@@ -2895,99 +2894,8 @@ if test $with_libpsl != "no"; then
>> + fi
>> + AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "enabled"])
>> +
>> +-dnl
>> *********************************************************************
>> *
>> +-dnl Check for libmetalink
>> +-dnl
>> *********************************************************************
>> *
>> +-
>> +-OPT_LIBMETALINK=no
>> +-
>> +-AC_ARG_WITH(libmetalink,dnl
>> +-AC_HELP_STRING([--with-libmetalink=PATH],[where to look for
>> libmetalink, PATH points to the installation root])
>> +-AC_HELP_STRING([--without-libmetalink], [disable libmetalink
>> detection]),
>> +- OPT_LIBMETALINK=$withval)
>> +-
>> +-if test X"$OPT_LIBMETALINK" != Xno; then
>> +-
>> +- addld=""
>> +- addlib=""
>> +- addcflags=""
>> +- version=""
>> +- libmetalinklib=""
>> +-
>> +- PKGTEST="no"
>> +- if test "x$OPT_LIBMETALINK" = "xyes"; then
>> +- dnl this is with no partiular path given
>> +- PKGTEST="yes"
>> +- CURL_CHECK_PKGCONFIG(libmetalink)
>> +- else
>> +- dnl When particular path is given, set PKG_CONFIG_LIBDIR using
>> the path.
>> +- LIBMETALINK_PCDIR="$OPT_LIBMETALINK/lib/pkgconfig"
>> +- AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to
>> "$LIBMETALINK_PCDIR"])
>> +- if test -f "$LIBMETALINK_PCDIR/libmetalink.pc"; then
>> +- PKGTEST="yes"
>> +- fi
>> +- if test "$PKGTEST" = "yes"; then
>> +- CURL_CHECK_PKGCONFIG(libmetalink, [$LIBMETALINK_PCDIR])
>> +- fi
>> +- fi
>> +- if test "$PKGTEST" = "yes" && test "$PKGCONFIG" != "no"; then
>> +- addlib=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
>> +- $PKGCONFIG --libs-only-l libmetalink`
>> +- addld=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
>> +- $PKGCONFIG --libs-only-L libmetalink`
>> +- addcflags=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
>> +- $PKGCONFIG --cflags-only-I libmetalink`
>> +- version=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl
>> +- $PKGCONFIG --modversion libmetalink`
>> +- libmetalinklib=`echo $addld | $SED -e 's/^-L//'`
>> +- fi
>> +- if test -n "$addlib"; then
>> +-
>> +- clean_CPPFLAGS="$CPPFLAGS"
>> +- clean_LDFLAGS="$LDFLAGS"
>> +- clean_LIBS="$LIBS"
>> +- CPPFLAGS="$clean_CPPFLAGS $addcflags"
>> +- LDFLAGS="$clean_LDFLAGS $addld"
>> +- LIBS="$addlib $clean_LIBS"
>> +- AC_MSG_CHECKING([if libmetalink is recent enough])
>> +- AC_LINK_IFELSE([
>> +- AC_LANG_PROGRAM([[
>> +-# include <metalink/metalink.h>
>> +- ]],[[
>> +- if(0 != metalink_strerror(0)) /* added in 0.1.0 */
>> +- return 1;
>> +- ]])
>> +- ],[
>> +- AC_MSG_RESULT([yes ($version)])
>> +- want_metalink="yes"
>> +- ],[
>> +- AC_MSG_RESULT([no ($version)])
>> +- AC_MSG_NOTICE([libmetalink library defective or too old])
>> +- want_metalink="no"
>> +- ])
>> +- if test "x$OPENSSL_ENABLED" != "x1" -a "x$USE_WINDOWS_SSPI" !=
>> "x1" \
>> +- -a "x$GNUTLS_ENABLED" != "x1" -a "x$NSS_ENABLED" != "x1" \
>> +- -a "x$SECURETRANSPORT_ENABLED" != "x1"; then
>> +- AC_MSG_WARN([metalink support requires a compatible SSL/TLS
>> backend])
>> +- want_metalink="no"
>> +- fi
>> +- CPPFLAGS="$clean_CPPFLAGS"
>> +- LDFLAGS="$clean_LDFLAGS"
>> +- LIBS="$clean_LIBS"
>> +- if test "$want_metalink" = "yes"; then
>> +- dnl finally libmetalink will be used
>> +- AC_DEFINE(USE_METALINK, 1, [Define to enable metalink
>> support])
>> +- LIBMETALINK_LIBS=$addlib
>> +- LIBMETALINK_LDFLAGS=$addld
>> +- LIBMETALINK_CPPFLAGS=$addcflags
>> +- AC_SUBST([LIBMETALINK_LIBS])
>> +- AC_SUBST([LIBMETALINK_LDFLAGS])
>> +- AC_SUBST([LIBMETALINK_CPPFLAGS])
>> +- curl_mtlnk_msg="enabled"
>> +- fi
>> +-
>> +- fi
>> +-fi
>> ++AC_ARG_WITH(libmetalink,,
>> ++ AC_MSG_ERROR([--with-libmetalink no longer works!]))
>> +
>> + dnl
>> *********************************************************************
>> *
>> + dnl Check for the presence of LIBSSH2 libraries and headers
>> +diff --git a/src/Makefile.am b/src/Makefile.am
>> +index dff248f..6b7547f 100644
>> +--- a/src/Makefile.am
>> ++++ b/src/Makefile.am
>> +@@ -61,18 +61,15 @@ CFLAGS += @CURL_CFLAG_EXTRAS@
>> + LIBS = $(BLANK_AT_MAKETIME)
>> +
>> + if USE_EXPLICIT_LIB_DEPS
>> +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@
>> @LIBCURL_LIBS@
>> ++curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
>> + else
>> +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@
>> @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
>> ++curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@
>> @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
>> + endif
>> +
>> +-curl_LDFLAGS = @LIBMETALINK_LDFLAGS@
>> +-curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS)
>> +-
>> + # if unit tests are enabled, build a static library to link them
>> with
>> + if BUILD_UNITTESTS
>> + noinst_LTLIBRARIES = libcurltool.la
>> +-libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \
>> ++libcurltool_la_CPPFLAGS = $(AM_CPPFLAGS) \
>> + -DCURL_STATICLIB -DUNITTESTS
>> + libcurltool_la_CFLAGS =
>> + libcurltool_la_LDFLAGS = -static $(LINKFLAGS)
>> +--
>> +2.17.1
>> +
>> diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-
>> support/curl/curl_7.75.0.bb
>> index d9818b6f07..10e44f2709 100644
>> --- a/meta/recipes-support/curl/curl_7.75.0.bb
>> +++ b/meta/recipes-support/curl/curl_7.75.0.bb
>> @@ -24,6 +24,7 @@ SRC_URI =
>> "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
>> file://CVE-2021-22945.patch \
>> file://CVE-2021-22946.patch \
>> file://CVE-2021-22947.patch \
>> + file://0001-metalink-remove.patch \
>> "
>>
>> SRC_URI[sha256sum] =
>> "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
>> @@ -73,7 +74,6 @@ EXTRA_OECONF = " \
>> --disable-ntlm-wb \
>> --enable-crypto-auth \
>> --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
>> - --without-libmetalink \
>> --without-libpsl \
>> --enable-debug \
>> --enable-optimize \
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#157373):
>> https://lists.openembedded.org/g/openembedded-core/message/157373
>> Mute This Topic: https://lists.openembedded.org/mt/86597181/3616702
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe:
>> https://lists.openembedded.org/g/openembedded-core/unsub [
>> anuj.mittal@intel.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-29 8:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <16AF14C3714F85BD.30006@lists.openembedded.org>
2021-10-26 6:36 ` [hardknott][PATCH] curl: remove metalink mingli.yu
2021-10-27 1:22 ` [OE-core] " Mittal, Anuj
2021-11-29 8:35 ` Yu, Mingli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.