bc7713fa88
Fixes CVE-2023-46218 and CVE-2023-46219. See <https://curl.se/docs/CVE-2023-46218.html> and <https://curl.se/docs/CVE-2023-46219.html> respectively. * gnu/packages/curl.scm (curl): Update to 8.5.0. * gnu/packages/patches/curl-use-ssl-cert-env.patch: Update patch. Change-Id: Iaa6aa5de0f45576dc06bf5eca1eec502e5c83332
65 lines
2.1 KiB
Diff
65 lines
2.1 KiB
Diff
Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
|
|
are fetched during initialization to preserve thread-safety (curl_global_init(3)
|
|
must be called when no other threads exist).
|
|
|
|
This fixes network functionality in rust:cargo, and probably removes the need
|
|
for other future workarounds.
|
|
===================================================================
|
|
--- curl-8.5.0.orig/lib/easy.c 2023-12-17 00:36:32.400468561 -0500
|
|
+++ curl-8.5.0/lib/easy.c 2023-12-17 00:39:08.898612331 -0500
|
|
@@ -137,6 +137,9 @@
|
|
static char *leakpointer;
|
|
#endif
|
|
|
|
+char * Curl_ssl_cert_dir = NULL;
|
|
+char * Curl_ssl_cert_file = NULL;
|
|
+
|
|
/**
|
|
* curl_global_init() globally initializes curl given a bitwise set of the
|
|
* different features of what to initialize.
|
|
@@ -163,6 +166,9 @@
|
|
goto fail;
|
|
}
|
|
|
|
+ Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
|
|
+ Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
|
|
+
|
|
if(!Curl_ssl_init()) {
|
|
DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
|
|
goto fail;
|
|
@@ -287,6 +293,9 @@
|
|
Curl_ssl_cleanup();
|
|
Curl_resolver_global_cleanup();
|
|
|
|
+ free(Curl_ssl_cert_dir);
|
|
+ free(Curl_ssl_cert_file);
|
|
+
|
|
#ifdef _WIN32
|
|
Curl_win32_cleanup(easy_init_flags);
|
|
#endif
|
|
diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
|
|
--- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
|
|
+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
|
|
@@ -524,6 +524,21 @@
|
|
if(result)
|
|
return result;
|
|
#endif
|
|
+ extern char * Curl_ssl_cert_dir;
|
|
+ extern char * Curl_ssl_cert_file;
|
|
+ if(Curl_ssl_cert_dir) {
|
|
+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
|
|
+ return result;
|
|
+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
|
|
+ return result;
|
|
+ }
|
|
+
|
|
+ if(Curl_ssl_cert_file) {
|
|
+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
|
|
+ return result;
|
|
+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
|
|
+ return result;
|
|
+ }
|
|
}
|
|
|
|
set->wildcard_enabled = FALSE;
|