pyrox.dev / nixpkgs
lol
fork atom

curl: 7.76.1 -> 7.79.1

patching out SystemConfiguration requirement on darwin as we
can't use it from within the curl bootstrap loop

Robert Scott 106e944e ca9fb66e

+55 -559
unified split
+52
pkgs/tools/networking/curl/7.79.1-darwin-no-systemconfiguration.patch
···
··· 1 + On darwin, providing SystemConfiguration to curl currently results in a 2 + reference loop, so we have to disable the check for it and the feature 3 + which requires it (NAT64). 4 + 5 + Patching actual configure script here as we also don't want to require 6 + autoconf in the bootstrap loop just to regenerate a patched configure.ac. 7 + 8 + --- a/configure 2021-10-16 00:51:59.000000000 +0100 9 + +++ b/configure 2021-10-16 01:06:46.000000000 +0100 10 + @@ -20810,7 +20810,7 @@ 11 + if test "x$build_for_macos" != xno; then 12 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 13 + printf "%s\n" "yes" >&6; } 14 + - LDFLAGS="$LDFLAGS -framework CoreFoundation -framework SystemConfiguration" 15 + + LDFLAGS="$LDFLAGS -framework CoreFoundation" 16 + else 17 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 18 + printf "%s\n" "no" >&6; } 19 + @@ -22211,9 +22211,6 @@ 20 + fi 21 + 22 + 23 + -if test "$HAVE_GETHOSTBYNAME" != "1"; then 24 + - as_fn_error $? "couldn't find libraries for gethostbyname()" "$LINENO" 5 25 + -fi 26 + 27 + 28 + curl_includes_winsock2="\ 29 + diff --git a/lib/curl_setup.h b/lib/curl_setup.h 30 + index 99048c489..19abfbbac 100644 31 + --- a/lib/curl_setup.h 32 + +++ b/lib/curl_setup.h 33 + @@ -247,19 +247,6 @@ 34 + # include "setup-win32.h" 35 + #endif 36 + 37 + -/* 38 + - * Use getaddrinfo to resolve the IPv4 address literal. If the current network 39 + - * interface doesn't support IPv4, but supports IPv6, NAT64, and DNS64, 40 + - * performing this task will result in a synthesized IPv6 address. 41 + - */ 42 + -#if defined(__APPLE__) && !defined(USE_ARES) 43 + -#include <TargetConditionals.h> 44 + -#define USE_RESOLVE_ON_IPS 1 45 + -# if defined(TARGET_OS_OSX) && TARGET_OS_OSX 46 + -# define CURL_OSX_CALL_COPYPROXIES 1 47 + -# endif 48 + -#endif 49 + - 50 + #ifdef USE_LWIPSOCK 51 + # include <lwip/init.h> 52 + # include <lwip/sockets.h>
-64
pkgs/tools/networking/curl/CVE-2021-22897.patch
··· 1 - From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 2001 2 - From: Daniel Stenberg <daniel@haxx.se> 3 - Date: Fri, 23 Apr 2021 10:54:10 +0200 4 - Subject: [PATCH] schannel: don't use static to store selected ciphers 5 - 6 - CVE-2021-22897 7 - 8 - Bug: https://curl.se/docs/CVE-2021-22897.html 9 - --- 10 - lib/vtls/schannel.c | 9 +++++---- 11 - lib/vtls/schannel.h | 3 +++ 12 - 2 files changed, 8 insertions(+), 4 deletions(-) 13 - 14 - diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c 15 - index 8c25ac5dd5a5..dba7072273a9 100644 16 - --- a/lib/vtls/schannel.c 17 - +++ b/lib/vtls/schannel.c 18 - @@ -328,12 +328,12 @@ get_alg_id_by_name(char *name) 19 - } 20 - 21 - static CURLcode 22 - -set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) 23 - +set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, 24 - + int *algIds) 25 - { 26 - char *startCur = ciphers; 27 - int algCount = 0; 28 - - static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/ 29 - - while(startCur && (0 != *startCur) && (algCount < 45)) { 30 - + while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) { 31 - long alg = strtol(startCur, 0, 0); 32 - if(!alg) 33 - alg = get_alg_id_by_name(startCur); 34 - @@ -593,7 +593,8 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, 35 - } 36 - 37 - if(SSL_CONN_CONFIG(cipher_list)) { 38 - - result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list)); 39 - + result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list), 40 - + BACKEND->algIds); 41 - if(CURLE_OK != result) { 42 - failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG"); 43 - return result; 44 - diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h 45 - index 2952caa1a5a1..77853aa30f96 100644 46 - --- a/lib/vtls/schannel.h 47 - +++ b/lib/vtls/schannel.h 48 - @@ -71,6 +71,8 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, 49 - #endif 50 - #endif 51 - 52 - +#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers */ 53 - + 54 - struct Curl_schannel_cred { 55 - CredHandle cred_handle; 56 - TimeStamp time_stamp; 57 - @@ -102,6 +104,7 @@ struct ssl_backend_data { 58 - #ifdef HAS_MANUAL_VERIFY_API 59 - bool use_manual_cred_validation; /* true if manual cred validation is used */ 60 - #endif 61 - + ALG_ID algIds[NUMOF_CIPHERS]; 62 - }; 63 - #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ 64 -
···
-25
pkgs/tools/networking/curl/CVE-2021-22898.patch
··· 1 - From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001 2 - From: Harry Sintonen <sintonen@iki.fi> 3 - Date: Fri, 7 May 2021 13:09:57 +0200 4 - Subject: [PATCH] telnet: check sscanf() for correct number of matches 5 - 6 - CVE-2021-22898 7 - 8 - Bug: https://curl.se/docs/CVE-2021-22898.html 9 - --- 10 - lib/telnet.c | 2 +- 11 - 1 file changed, 1 insertion(+), 1 deletion(-) 12 - 13 - diff --git a/lib/telnet.c b/lib/telnet.c 14 - index 26e0658ba9cc..fdd137fb0c04 100644 15 - --- a/lib/telnet.c 16 - +++ b/lib/telnet.c 17 - @@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data) 18 - size_t tmplen = (strlen(v->data) + 1); 19 - /* Add the variable only if it fits */ 20 - if(len + tmplen < (int)sizeof(temp)-6) { 21 - - if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { 22 - + if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { 23 - msnprintf((char *)&temp[len], sizeof(temp) - len, 24 - "%c%s%c%s", CURL_NEW_ENV_VAR, varname, 25 - CURL_NEW_ENV_VALUE, varval);
···
-437
pkgs/tools/networking/curl/CVE-2021-22901.patch
··· 1 - Based on upstream 7f4a9a9b2a49547eae24d2e19bc5c346e9026479, modified by ris to 2 - apply without 0c55fbab45bedb761766109d41c3da49c4bc66c6 3 - 4 - diff --git a/lib/multi.c b/lib/multi.c 5 - index 54365f399e9b..1b3e261c682a 100644 6 - --- a/lib/multi.c 7 - +++ b/lib/multi.c 8 - @@ -878,8 +878,10 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi) 9 - void Curl_detach_connnection(struct Curl_easy *data) 10 - { 11 - struct connectdata *conn = data->conn; 12 - - if(conn) 13 - + if(conn) { 14 - Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); 15 - + Curl_ssl_detach_conn(data, conn); 16 - + } 17 - data->conn = NULL; 18 - } 19 - 20 - @@ -896,6 +898,7 @@ void Curl_attach_connnection(struct Curl_easy *data, 21 - data->conn = conn; 22 - Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data, 23 - &data->conn_queue); 24 - + Curl_ssl_associate_conn(data, conn); 25 - } 26 - 27 - static int waitconnect_getsock(struct connectdata *conn, 28 - diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c 29 - index c648f624579b..ca953769d1ba 100644 30 - --- a/lib/vtls/gskit.c 31 - +++ b/lib/vtls/gskit.c 32 - @@ -1304,7 +1304,9 @@ const struct Curl_ssl Curl_ssl_gskit = { 33 - Curl_none_set_engine_default, /* set_engine_default */ 34 - Curl_none_engines_list, /* engines_list */ 35 - Curl_none_false_start, /* false_start */ 36 - - NULL /* sha256sum */ 37 - + NULL, /* sha256sum */ 38 - + NULL, /* associate_connection */ 39 - + NULL /* disassociate_connection */ 40 - }; 41 - 42 - #endif /* USE_GSKIT */ 43 - diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c 44 - index a10c0dbcca05..ecde5c44deeb 100644 45 - --- a/lib/vtls/gtls.c 46 - +++ b/lib/vtls/gtls.c 47 - @@ -1656,7 +1656,9 @@ const struct Curl_ssl Curl_ssl_gnutls = { 48 - Curl_none_set_engine_default, /* set_engine_default */ 49 - Curl_none_engines_list, /* engines_list */ 50 - Curl_none_false_start, /* false_start */ 51 - - gtls_sha256sum /* sha256sum */ 52 - + gtls_sha256sum, /* sha256sum */ 53 - + NULL, /* associate_connection */ 54 - + NULL /* disassociate_connection */ 55 - }; 56 - 57 - #endif /* USE_GNUTLS */ 58 - diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c 59 - index ca77de58667c..3a0be0f04b4f 100644 60 - --- a/lib/vtls/mbedtls.c 61 - +++ b/lib/vtls/mbedtls.c 62 - @@ -1093,7 +1093,9 @@ const struct Curl_ssl Curl_ssl_mbedtls = { 63 - Curl_none_set_engine_default, /* set_engine_default */ 64 - Curl_none_engines_list, /* engines_list */ 65 - Curl_none_false_start, /* false_start */ 66 - - mbedtls_sha256sum /* sha256sum */ 67 - + mbedtls_sha256sum, /* sha256sum */ 68 - + NULL, /* associate_connection */ 69 - + NULL /* disassociate_connection */ 70 - }; 71 - 72 - #endif /* USE_MBEDTLS */ 73 - diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c 74 - index f16c77c27fe0..bf8600d3230b 100644 75 - --- a/lib/vtls/mesalink.c 76 - +++ b/lib/vtls/mesalink.c 77 - @@ -666,7 +666,9 @@ const struct Curl_ssl Curl_ssl_mesalink = { 78 - Curl_none_set_engine_default, /* set_engine_default */ 79 - Curl_none_engines_list, /* engines_list */ 80 - Curl_none_false_start, /* false_start */ 81 - - NULL /* sha256sum */ 82 - + NULL, /* sha256sum */ 83 - + NULL, /* associate_connection */ 84 - + NULL /* disassociate_connection */ 85 - }; 86 - 87 - #endif 88 - diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c 89 - index 2aa4bdaa134f..1582b1e580a9 100644 90 - --- a/lib/vtls/nss.c 91 - +++ b/lib/vtls/nss.c 92 - @@ -2465,7 +2465,9 @@ const struct Curl_ssl Curl_ssl_nss = { 93 - Curl_none_set_engine_default, /* set_engine_default */ 94 - Curl_none_engines_list, /* engines_list */ 95 - nss_false_start, /* false_start */ 96 - - nss_sha256sum /* sha256sum */ 97 - + nss_sha256sum, /* sha256sum */ 98 - + NULL, /* associate_connection */ 99 - + NULL /* disassociate_connection */ 100 - }; 101 - 102 - #endif /* USE_NSS */ 103 - diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c 104 - index 1521600dd5f6..ebd7abc3b4ac 100644 105 - --- a/lib/vtls/openssl.c 106 - +++ b/lib/vtls/openssl.c 107 - @@ -240,6 +240,10 @@ struct ssl_backend_data { 108 - #endif 109 - }; 110 - 111 - +static void ossl_associate_connection(struct Curl_easy *data, 112 - + struct connectdata *conn, 113 - + int sockindex); 114 - + 115 - /* 116 - * Number of bytes to read from the random number seed file. This must be 117 - * a finite value (because some entropy "files" like /dev/urandom have 118 - @@ -2581,6 +2585,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, 119 - curl_socket_t sockfd = conn->sock[sockindex]; 120 - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; 121 - ctx_option_t ctx_options = 0; 122 - + void *ssl_sessionid = NULL; 123 - 124 - #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 125 - bool sni; 126 - @@ -3225,46 +3230,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, 127 - } 128 - #endif 129 - 130 - - /* Check if there's a cached ID we can/should use here! */ 131 - - if(SSL_SET_OPTION(primary.sessionid)) { 132 - - void *ssl_sessionid = NULL; 133 - - int data_idx = ossl_get_ssl_data_index(); 134 - - int connectdata_idx = ossl_get_ssl_conn_index(); 135 - - int sockindex_idx = ossl_get_ssl_sockindex_index(); 136 - - int proxy_idx = ossl_get_proxy_index(); 137 - - 138 - - if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && 139 - - proxy_idx >= 0) { 140 - - /* Store the data needed for the "new session" callback. 141 - - * The sockindex is stored as a pointer to an array element. */ 142 - - SSL_set_ex_data(backend->handle, data_idx, data); 143 - - SSL_set_ex_data(backend->handle, connectdata_idx, conn); 144 - - SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); 145 - -#ifndef CURL_DISABLE_PROXY 146 - - SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: 147 - - NULL); 148 - -#else 149 - - SSL_set_ex_data(backend->handle, proxy_idx, NULL); 150 - -#endif 151 - - 152 - - } 153 - + ossl_associate_connection(data, conn, sockindex); 154 - 155 - - Curl_ssl_sessionid_lock(data); 156 - - if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, 157 - - &ssl_sessionid, NULL, sockindex)) { 158 - - /* we got a session id, use it! */ 159 - - if(!SSL_set_session(backend->handle, ssl_sessionid)) { 160 - - Curl_ssl_sessionid_unlock(data); 161 - - failf(data, "SSL: SSL_set_session failed: %s", 162 - - ossl_strerror(ERR_get_error(), error_buffer, 163 - - sizeof(error_buffer))); 164 - - return CURLE_SSL_CONNECT_ERROR; 165 - - } 166 - - /* Informational message */ 167 - - infof(data, "SSL re-using session ID\n"); 168 - + Curl_ssl_sessionid_lock(data); 169 - + if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, 170 - + &ssl_sessionid, NULL, sockindex)) { 171 - + /* we got a session id, use it! */ 172 - + if(!SSL_set_session(backend->handle, ssl_sessionid)) { 173 - + Curl_ssl_sessionid_unlock(data); 174 - + failf(data, "SSL: SSL_set_session failed: %s", 175 - + ossl_strerror(ERR_get_error(), error_buffer, 176 - + sizeof(error_buffer))); 177 - + return CURLE_SSL_CONNECT_ERROR; 178 - } 179 - - Curl_ssl_sessionid_unlock(data); 180 - + /* Informational message */ 181 - + infof(data, "SSL re-using session ID\n"); 182 - } 183 - + Curl_ssl_sessionid_unlock(data); 184 - 185 - #ifndef CURL_DISABLE_PROXY 186 - if(conn->proxy_ssl[sockindex].use) { 187 - @@ -4498,6 +4480,90 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl, 188 - (void *)backend->ctx : (void *)backend->handle; 189 - } 190 - 191 - +static void ossl_associate_connection(struct Curl_easy *data, 192 - + struct connectdata *conn, 193 - + int sockindex) 194 - +{ 195 - + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; 196 - + struct ssl_backend_data *backend = connssl->backend; 197 - + 198 - + /* If we don't have SSL context, do nothing. */ 199 - + if(!backend->handle) 200 - + return; 201 - + 202 - + if(SSL_SET_OPTION(primary.sessionid)) { 203 - + int data_idx = ossl_get_ssl_data_index(); 204 - + int connectdata_idx = ossl_get_ssl_conn_index(); 205 - + int sockindex_idx = ossl_get_ssl_sockindex_index(); 206 - + int proxy_idx = ossl_get_proxy_index(); 207 - + 208 - + if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && 209 - + proxy_idx >= 0) { 210 - + /* Store the data needed for the "new session" callback. 211 - + * The sockindex is stored as a pointer to an array element. */ 212 - + SSL_set_ex_data(backend->handle, data_idx, data); 213 - + SSL_set_ex_data(backend->handle, connectdata_idx, conn); 214 - + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); 215 - +#ifndef CURL_DISABLE_PROXY 216 - + SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: 217 - + NULL); 218 - +#else 219 - + SSL_set_ex_data(backend->handle, proxy_idx, NULL); 220 - +#endif 221 - + } 222 - + } 223 - +} 224 - + 225 - +/* 226 - + * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after 227 - + * the handshake. If the transfer that sets up the callback gets killed before 228 - + * this callback arrives, we must make sure to properly clear the data to 229 - + * avoid UAF problems. A future optimization could be to instead store another 230 - + * transfer that might still be using the same connection. 231 - + */ 232 - + 233 - +static void ossl_disassociate_connection(struct Curl_easy *data, 234 - + int sockindex) 235 - +{ 236 - + struct connectdata *conn = data->conn; 237 - + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; 238 - + struct ssl_backend_data *backend = connssl->backend; 239 - + 240 - + /* If we don't have SSL context, do nothing. */ 241 - + if(!backend->handle) 242 - + return; 243 - + 244 - + if(SSL_SET_OPTION(primary.sessionid)) { 245 - + bool isproxy = FALSE; 246 - + bool incache; 247 - + void *old_ssl_sessionid = NULL; 248 - + int data_idx = ossl_get_ssl_data_index(); 249 - + int connectdata_idx = ossl_get_ssl_conn_index(); 250 - + int sockindex_idx = ossl_get_ssl_sockindex_index(); 251 - + int proxy_idx = ossl_get_proxy_index(); 252 - + 253 - + if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && 254 - + proxy_idx >= 0) { 255 - + /* Invalidate the session cache entry, if any */ 256 - + isproxy = SSL_get_ex_data(backend->handle, proxy_idx) ? TRUE : FALSE; 257 - + 258 - + /* Disable references to data in "new session" callback to avoid 259 - + * accessing a stale pointer. */ 260 - + SSL_set_ex_data(backend->handle, data_idx, NULL); 261 - + SSL_set_ex_data(backend->handle, connectdata_idx, NULL); 262 - + SSL_set_ex_data(backend->handle, sockindex_idx, NULL); 263 - + SSL_set_ex_data(backend->handle, proxy_idx, NULL); 264 - + } 265 - + 266 - + Curl_ssl_sessionid_lock(data); 267 - + incache = !(Curl_ssl_getsessionid(data, conn, isproxy, 268 - + &old_ssl_sessionid, NULL, sockindex)); 269 - + if(incache) 270 - + Curl_ssl_delsessionid(data, old_ssl_sessionid); 271 - + Curl_ssl_sessionid_unlock(data); 272 - + } 273 - +} 274 - + 275 - const struct Curl_ssl Curl_ssl_openssl = { 276 - { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */ 277 - 278 - @@ -4533,10 +4599,12 @@ const struct Curl_ssl Curl_ssl_openssl = { 279 - ossl_engines_list, /* engines_list */ 280 - Curl_none_false_start, /* false_start */ 281 - #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) 282 - - ossl_sha256sum /* sha256sum */ 283 - + ossl_sha256sum, /* sha256sum */ 284 - #else 285 - - NULL /* sha256sum */ 286 - + NULL, /* sha256sum */ 287 - #endif 288 - + ossl_associate_connection, /* associate_connection */ 289 - + ossl_disassociate_connection /* disassociate_connection */ 290 - }; 291 - 292 - #endif /* USE_OPENSSL */ 293 - diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c 294 - index 9dfbd2c3c4c2..161f3bf51d75 100644 295 - --- a/lib/vtls/rustls.c 296 - +++ b/lib/vtls/rustls.c 297 - @@ -604,7 +604,9 @@ const struct Curl_ssl Curl_ssl_rustls = { 298 - Curl_none_set_engine_default, /* set_engine_default */ 299 - Curl_none_engines_list, /* engines_list */ 300 - Curl_none_false_start, /* false_start */ 301 - - NULL /* sha256sum */ 302 - + NULL, /* sha256sum */ 303 - + NULL, /* associate_connection */ 304 - + NULL /* disassociate_connection */ 305 - }; 306 - 307 - #endif /* USE_RUSTLS */ 308 - diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c 309 - index dba7072273a9..2bcf11db2576 100644 310 - --- a/lib/vtls/schannel.c 311 - +++ b/lib/vtls/schannel.c 312 - @@ -329,7 +329,7 @@ get_alg_id_by_name(char *name) 313 - 314 - static CURLcode 315 - set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, 316 - - int *algIds) 317 - + ALG_ID *algIds) 318 - { 319 - char *startCur = ciphers; 320 - int algCount = 0; 321 - @@ -2433,7 +2433,9 @@ const struct Curl_ssl Curl_ssl_schannel = { 322 - Curl_none_set_engine_default, /* set_engine_default */ 323 - Curl_none_engines_list, /* engines_list */ 324 - Curl_none_false_start, /* false_start */ 325 - - schannel_sha256sum /* sha256sum */ 326 - + schannel_sha256sum, /* sha256sum */ 327 - + NULL, /* associate_connection */ 328 - + NULL /* disassociate_connection */ 329 - }; 330 - 331 - #endif /* USE_SCHANNEL */ 332 - diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c 333 - index 4276b89cfb3a..8b1e84ed7715 100644 334 - --- a/lib/vtls/sectransp.c 335 - +++ b/lib/vtls/sectransp.c 336 - @@ -3453,6 +3453,8 @@ const struct Curl_ssl Curl_ssl_sectransp = { 337 - Curl_none_engines_list, /* engines_list */ 338 - sectransp_false_start, /* false_start */ 339 - sectransp_sha256sum /* sha256sum */ 340 - + NULL, /* associate_connection */ 341 - + NULL /* disassociate_connection */ 342 - }; 343 - 344 - #ifdef __clang__ 345 - diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c 346 - index d63fd5c76386..65f4f773dd63 100644 347 - --- a/lib/vtls/vtls.c 348 - +++ b/lib/vtls/vtls.c 349 - @@ -586,6 +586,25 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, 350 - return CURLE_OK; 351 - } 352 - 353 - +void Curl_ssl_associate_conn(struct Curl_easy *data, 354 - + struct connectdata *conn) 355 - +{ 356 - + if(Curl_ssl->associate_connection) { 357 - + Curl_ssl->associate_connection(data, conn, FIRSTSOCKET); 358 - + if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) 359 - + Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET); 360 - + } 361 - +} 362 - + 363 - +void Curl_ssl_detach_conn(struct Curl_easy *data, 364 - + struct connectdata *conn) 365 - +{ 366 - + if(Curl_ssl->disassociate_connection) { 367 - + Curl_ssl->disassociate_connection(data, FIRSTSOCKET); 368 - + if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) 369 - + Curl_ssl->disassociate_connection(data, SECONDARYSOCKET); 370 - + } 371 - +} 372 - 373 - void Curl_ssl_close_all(struct Curl_easy *data) 374 - { 375 - @@ -1214,7 +1233,9 @@ static const struct Curl_ssl Curl_ssl_multi = { 376 - Curl_none_set_engine_default, /* set_engine_default */ 377 - Curl_none_engines_list, /* engines_list */ 378 - Curl_none_false_start, /* false_start */ 379 - - NULL /* sha256sum */ 380 - + NULL, /* sha256sum */ 381 - + NULL, /* associate_connection */ 382 - + NULL /* disassociate_connection */ 383 - }; 384 - 385 - const struct Curl_ssl *Curl_ssl = 386 - diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h 387 - index a22d526ca810..7f93e7aedb21 100644 388 - --- a/lib/vtls/vtls.h 389 - +++ b/lib/vtls/vtls.h 390 - @@ -84,6 +84,11 @@ struct Curl_ssl { 391 - bool (*false_start)(void); 392 - CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, 393 - unsigned char *sha256sum, size_t sha256sumlen); 394 - + 395 - + void (*associate_connection)(struct Curl_easy *data, 396 - + struct connectdata *conn, 397 - + int sockindex); 398 - + void (*disassociate_connection)(struct Curl_easy *data, int sockindex); 399 - }; 400 - 401 - #ifdef USE_SSL 402 - @@ -283,6 +288,11 @@ bool Curl_ssl_cert_status_request(void); 403 - 404 - bool Curl_ssl_false_start(void); 405 - 406 - +void Curl_ssl_associate_conn(struct Curl_easy *data, 407 - + struct connectdata *conn); 408 - +void Curl_ssl_detach_conn(struct Curl_easy *data, 409 - + struct connectdata *conn); 410 - + 411 - #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ 412 - 413 - #else /* if not USE_SSL */ 414 - @@ -309,6 +319,8 @@ bool Curl_ssl_false_start(void); 415 - #define Curl_ssl_cert_status_request() FALSE 416 - #define Curl_ssl_false_start() FALSE 417 - #define Curl_ssl_tls13_ciphersuites() FALSE 418 - +#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt 419 - +#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt 420 - #endif 421 - 422 - #endif /* HEADER_CURL_VTLS_H */ 423 - diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c 424 - index 02fcd236697e..60e27e366252 100644 425 - --- a/lib/vtls/wolfssl.c 426 - +++ b/lib/vtls/wolfssl.c 427 - @@ -1125,7 +1125,9 @@ const struct Curl_ssl Curl_ssl_wolfssl = { 428 - Curl_none_set_engine_default, /* set_engine_default */ 429 - Curl_none_engines_list, /* engines_list */ 430 - Curl_none_false_start, /* false_start */ 431 - - wolfssl_sha256sum /* sha256sum */ 432 - + wolfssl_sha256sum, /* sha256sum */ 433 - + NULL, /* associate_connection */ 434 - + NULL /* disassociate_connection */ 435 - }; 436 - 437 - #endif
···
-27
pkgs/tools/networking/curl/CVE-2021-22945.patch
··· 1 - From 43157490a5054bd24256fe12876931e8abc9df49 Mon Sep 17 00:00:00 2001 2 - From: z2_ on hackerone <> 3 - Date: Tue, 24 Aug 2021 09:50:33 +0200 4 - Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds 5 - 6 - CVE-2021-22945 7 - 8 - Bug: https://curl.se/docs/CVE-2021-22945.html 9 - --- 10 - lib/mqtt.c | 4 ++++ 11 - 1 file changed, 4 insertions(+) 12 - 13 - diff --git a/lib/mqtt.c b/lib/mqtt.c 14 - index f077e6c3dc44..fcd40b41e600 100644 15 - --- a/lib/mqtt.c 16 - +++ b/lib/mqtt.c 17 - @@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data, 18 - mq->sendleftovers = sendleftovers; 19 - mq->nsend = nsend; 20 - } 21 - + else { 22 - + mq->sendleftovers = NULL; 23 - + mq->nsend = 0; 24 - + } 25 - return result; 26 - } 27 -
···
+3 -6
pkgs/tools/networking/curl/default.nix
··· 43 44 stdenv.mkDerivation rec { 45 pname = "curl"; 46 - version = "7.76.1"; 47 48 src = fetchurl { 49 urls = [ 50 "https://curl.haxx.se/download/${pname}-${version}.tar.bz2" 51 "https://github.com/curl/curl/releases/download/${lib.replaceStrings ["."] ["_"] pname}-${version}/${pname}-${version}.tar.bz2" 52 ]; 53 - sha256 = "1scmfrp0c27pkd7yva9k50miprjpsyfbb33apx72qc9igm6ii3ks"; 54 }; 55 56 patches = [ 57 - ./CVE-2021-22897.patch 58 - ./CVE-2021-22898.patch 59 - ./CVE-2021-22901.patch 60 - ./CVE-2021-22945.patch 61 ]; 62 63 outputs = [ "bin" "dev" "out" "man" "devdoc" ];
··· 43 44 stdenv.mkDerivation rec { 45 pname = "curl"; 46 + version = "7.79.1"; 47 48 src = fetchurl { 49 urls = [ 50 "https://curl.haxx.se/download/${pname}-${version}.tar.bz2" 51 "https://github.com/curl/curl/releases/download/${lib.replaceStrings ["."] ["_"] pname}-${version}/${pname}-${version}.tar.bz2" 52 ]; 53 + sha256 = "0lbq73wz44p4fm2gp05mzrqrzfvhlmvlgfg8c8wkj5lkkamw8qny"; 54 }; 55 56 patches = [ 57 + ./7.79.1-darwin-no-systemconfiguration.patch 58 ]; 59 60 outputs = [ "bin" "dev" "out" "man" "devdoc" ];