-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
backport curl CVE to flatcar-3033 (LTS-2022)
CVEs for which patches are added CVE-2023-38545 CVE-2023-38546 Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
- Loading branch information
1 parent
de8b84f
commit 1a66a3e
Showing
12 changed files
with
1,604 additions
and
0 deletions.
There are no files selected for viewing
3 changes: 3 additions & 0 deletions
3
sdk_container/src/third_party/coreos-overlay/net-misc/curl/Manifest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
DIST curl-7.78.0.tar.xz 2440640 BLAKE2B 0422071ce22d38b89652c702989674a2257dd18b05004245c4f2d7494ccdd24b5b52f330629ce6a411a059d5990e8c879cbbdf23d873b881141f9d2b9ad07f7f SHA512 f72e822a0b5e28320ef547c7a441c07f3b4870579a70ab4c428751baba435a1385cb89a22b9ed4b84a7fafecf620f155911e4131e3463ec1bdad80ecde47bb7a | ||
DIST curl-7.79.0.tar.xz 2463072 BLAKE2B c3a8a60d3c04965272b1a439a4719cfaca903daaecd6265869b9188d1b6b13be63817b9daa77260673d67330baa3d9c2d917274f939cdadc467ac64d8fcf3203 SHA512 68bccba61f18de9f94c311b0d92cfa6572bb7e55e8773917c13b25203164a5a9f4ef6b8ad84a14d3d5dcb286271bf18c3dd84c4ca353866763c726f9defce808 | ||
DIST curl-7.79.1.tar.xz 2465212 BLAKE2B 2b694f96661c0aa0a136fdae4159e0ca8e811557c5a1f0b47cccaaad122f3ddbdaa6450c3835290955baf9357e872ee105a8cb0912064af3d3e38d16beb124ad SHA512 1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d |
290 changes: 290 additions & 0 deletions
290
sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r1.ebuild
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,290 @@ | ||
# Copyright 1999-2021 Gentoo Authors | ||
# Distributed under the terms of the GNU General Public License v2 | ||
|
||
EAPI="7" | ||
|
||
inherit autotools prefix multilib-minimal | ||
|
||
DESCRIPTION="A Client that groks URLs" | ||
HOMEPAGE="https://curl.haxx.se/" | ||
SRC_URI="https://curl.haxx.se/download/${P}.tar.xz" | ||
|
||
LICENSE="curl" | ||
SLOT="0" | ||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" | ||
IUSE="adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap ipv6 kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp samba +smtp ssh ssl sslv3 static-libs test telnet +tftp threads winssl zstd" | ||
IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_winssl" | ||
IUSE+=" nghttp3 quiche" | ||
IUSE+=" elibc_Winnt" | ||
|
||
# c-ares must be disabled for threads | ||
# only one default ssl provider can be enabled | ||
REQUIRED_USE=" | ||
winssl? ( elibc_Winnt ) | ||
threads? ( !adns ) | ||
ssl? ( | ||
^^ ( | ||
curl_ssl_gnutls | ||
curl_ssl_mbedtls | ||
curl_ssl_nss | ||
curl_ssl_openssl | ||
curl_ssl_winssl | ||
) | ||
)" | ||
|
||
# lead to lots of false negatives, bug #285669 | ||
RESTRICT="!test? ( test )" | ||
|
||
RDEPEND="ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] ) | ||
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) | ||
ssl? ( | ||
gnutls? ( | ||
net-libs/gnutls:0=[static-libs?,${MULTILIB_USEDEP}] | ||
dev-libs/nettle:0=[${MULTILIB_USEDEP}] | ||
app-misc/ca-certificates | ||
) | ||
mbedtls? ( | ||
net-libs/mbedtls:0=[${MULTILIB_USEDEP}] | ||
app-misc/ca-certificates | ||
) | ||
openssl? ( | ||
dev-libs/openssl:0=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] | ||
) | ||
nss? ( | ||
dev-libs/nss:0[${MULTILIB_USEDEP}] | ||
app-misc/ca-certificates | ||
) | ||
) | ||
http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) | ||
nghttp3? ( | ||
net-libs/nghttp3[${MULTILIB_USEDEP}] | ||
net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}] | ||
) | ||
quiche? ( >=net-libs/quiche-0.3.0[${MULTILIB_USEDEP}] ) | ||
idn? ( net-dns/libidn2:0=[static-libs?,${MULTILIB_USEDEP}] ) | ||
adns? ( net-dns/c-ares:0=[${MULTILIB_USEDEP}] ) | ||
kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) | ||
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) | ||
ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) | ||
sys-libs/zlib[${MULTILIB_USEDEP}] | ||
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )" | ||
|
||
# Do we need to enforce the same ssl backend for curl and rtmpdump? Bug #423303 | ||
# rtmp? ( | ||
# media-video/rtmpdump | ||
# curl_ssl_gnutls? ( media-video/rtmpdump[gnutls] ) | ||
# curl_ssl_openssl? ( media-video/rtmpdump[-gnutls,ssl] ) | ||
# ) | ||
|
||
# ssl providers to be added: | ||
# fbopenssl $(use_with spnego) | ||
|
||
DEPEND="${RDEPEND}" | ||
BDEPEND="virtual/pkgconfig | ||
test? ( | ||
sys-apps/diffutils | ||
dev-lang/perl | ||
)" | ||
|
||
DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) | ||
|
||
MULTILIB_WRAPPED_HEADERS=( | ||
/usr/include/curl/curlbuild.h | ||
) | ||
|
||
MULTILIB_CHOST_TOOLS=( | ||
/usr/bin/curl-config | ||
) | ||
|
||
PATCHES=( | ||
"${FILESDIR}"/${PN}-7.30.0-prefix.patch | ||
"${FILESDIR}"/${PN}-respect-cflags-3.patch | ||
) | ||
|
||
src_prepare() { | ||
default | ||
|
||
eprefixify curl-config.in | ||
eautoreconf | ||
} | ||
|
||
multilib_src_configure() { | ||
# We make use of the fact that later flags override earlier ones | ||
# So start with all ssl providers off until proven otherwise | ||
# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) | ||
local myconf=() | ||
|
||
myconf+=( --without-gnutls --without-mbedtls --without-nss --without-polarssl --without-ssl --without-winssl ) | ||
myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) | ||
#myconf+=( --without-default-ssl-backend ) | ||
if use ssl ; then | ||
if use gnutls || use curl_ssl_gnutls; then | ||
einfo "SSL provided by gnutls" | ||
myconf+=( --with-gnutls --with-nettle ) | ||
fi | ||
if use mbedtls || use curl_ssl_mbedtls; then | ||
einfo "SSL provided by mbedtls" | ||
myconf+=( --with-mbedtls ) | ||
fi | ||
if use nss || use curl_ssl_nss; then | ||
einfo "SSL provided by nss" | ||
myconf+=( --with-nss ) | ||
fi | ||
if use openssl || use curl_ssl_openssl; then | ||
einfo "SSL provided by openssl" | ||
myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) | ||
fi | ||
if use winssl || use curl_ssl_winssl; then | ||
einfo "SSL provided by Windows" | ||
myconf+=( --with-winssl ) | ||
fi | ||
|
||
if use curl_ssl_gnutls; then | ||
einfo "Default SSL provided by gnutls" | ||
myconf+=( --with-default-ssl-backend=gnutls ) | ||
elif use curl_ssl_mbedtls; then | ||
einfo "Default SSL provided by mbedtls" | ||
myconf+=( --with-default-ssl-backend=mbedtls ) | ||
elif use curl_ssl_nss; then | ||
einfo "Default SSL provided by nss" | ||
myconf+=( --with-default-ssl-backend=nss ) | ||
elif use curl_ssl_openssl; then | ||
einfo "Default SSL provided by openssl" | ||
myconf+=( --with-default-ssl-backend=openssl ) | ||
elif use curl_ssl_winssl; then | ||
einfo "Default SSL provided by Windows" | ||
myconf+=( --with-default-ssl-backend=winssl ) | ||
else | ||
eerror "We can't be here because of REQUIRED_USE." | ||
fi | ||
|
||
else | ||
einfo "SSL disabled" | ||
fi | ||
|
||
# These configuration options are organized alphabetically | ||
# within each category. This should make it easier if we | ||
# ever decide to make any of them contingent on USE flags: | ||
# 1) protocols first. To see them all do | ||
# 'grep SUPPORT_PROTOCOLS configure.ac' | ||
# 2) --enable/disable options second. | ||
# 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort | ||
# 3) --with/without options third. | ||
# grep -- --with configure | grep Check | awk '{ print $4 }' | sort | ||
|
||
myconf+=( | ||
$(use_enable alt-svc) | ||
--enable-crypto-auth | ||
--enable-dict | ||
--disable-ech | ||
--enable-file | ||
$(use_enable ftp) | ||
$(use_enable gopher) | ||
$(use_enable hsts) | ||
--enable-http | ||
$(use_enable imap) | ||
$(use_enable ldap) | ||
$(use_enable ldap ldaps) | ||
--disable-ntlm | ||
--disable-ntlm-wb | ||
$(use_enable pop3) | ||
--enable-rt | ||
--enable-rtsp | ||
$(use_enable samba smb) | ||
$(use_with ssh libssh2) | ||
$(use_enable smtp) | ||
$(use_enable telnet) | ||
$(use_enable tftp) | ||
--enable-tls-srp | ||
$(use_enable adns ares) | ||
--enable-cookies | ||
--enable-dateparse | ||
--enable-dnsshuffle | ||
--enable-doh | ||
--enable-hidden-symbols | ||
--enable-http-auth | ||
$(use_enable ipv6) | ||
--enable-largefile | ||
--enable-manual | ||
--enable-mime | ||
--enable-netrc | ||
$(use_enable progress-meter) | ||
--enable-proxy | ||
--disable-sspi | ||
$(use_enable static-libs static) | ||
$(use_enable threads threaded-resolver) | ||
$(use_enable threads pthreads) | ||
--disable-versioned-symbols | ||
--without-amissl | ||
--without-bearssl | ||
$(use_with brotli) | ||
--without-cyassl | ||
--without-fish-functions-dir | ||
$(use_with http2 nghttp2) | ||
--without-hyper | ||
$(use_with idn libidn2) | ||
$(use_with kerberos gssapi "${EPREFIX}"/usr) | ||
--without-libgsasl | ||
--without-libpsl | ||
$(use_with nghttp3) | ||
$(use_with nghttp3 ngtcp2) | ||
$(use_with quiche) | ||
$(use_with rtmp librtmp) | ||
--without-rustls | ||
--without-schannel | ||
--without-secure-transport | ||
--without-spnego | ||
--without-winidn | ||
--without-wolfssl | ||
--with-zlib | ||
$(use_with zstd) | ||
) | ||
|
||
ECONF_SOURCE="${S}" \ | ||
econf "${myconf[@]}" | ||
|
||
if ! multilib_is_native_abi; then | ||
# avoid building the client | ||
sed -i -e '/SUBDIRS/s:src::' Makefile || die | ||
sed -i -e '/SUBDIRS/s:scripts::' Makefile || die | ||
fi | ||
|
||
# Fix up the pkg-config file to be more robust. | ||
# https://github.com/curl/curl/issues/864 | ||
local priv=() libs=() | ||
# We always enable zlib. | ||
libs+=( "-lz" ) | ||
priv+=( "zlib" ) | ||
if use http2; then | ||
libs+=( "-lnghttp2" ) | ||
priv+=( "libnghttp2" ) | ||
fi | ||
if use quiche; then | ||
libs+=( "-lquiche" ) | ||
priv+=( "quiche" ) | ||
fi | ||
if use nghttp3; then | ||
libs+=( "-lnghttp3" "-lngtcp2" ) | ||
priv+=( "libnghttp3" "-libtcp2" ) | ||
fi | ||
if use ssl && use curl_ssl_openssl; then | ||
libs+=( "-lssl" "-lcrypto" ) | ||
priv+=( "openssl" ) | ||
fi | ||
grep -q Requires.private libcurl.pc && die "need to update ebuild" | ||
libs=$(printf '|%s' "${libs[@]}") | ||
sed -i -r \ | ||
-e "/^Libs.private/s:(${libs#|})( |$)::g" \ | ||
libcurl.pc || die | ||
echo "Requires.private: ${priv[*]}" >> libcurl.pc | ||
} | ||
|
||
multilib_src_test() { | ||
multilib_is_native_abi && default_src_test | ||
} | ||
|
||
multilib_src_install_all() { | ||
einstalldocs | ||
find "${ED}" -type f -name '*.la' -delete || die | ||
rm -rf "${ED}"/etc/ || die | ||
} |
Oops, something went wrong.