Skip to content

[21.11] curl: add patches for CVE-2022-27781 & CVE-2022-27782#172640

Closed
risicle wants to merge 0 commit intoNixOS:staging-21.11from
risicle:ris-curl-CVEs-202205-r21.11
Closed

[21.11] curl: add patches for CVE-2022-27781 & CVE-2022-27782#172640
risicle wants to merge 0 commit intoNixOS:staging-21.11from
risicle:ris-curl-CVEs-202205-r21.11

Conversation

@risicle
Copy link
Contributor

@risicle risicle commented May 12, 2022
edited
Loading

Description of changes

https://curl.se/docs/CVE-2022-27781.html
https://curl.se/docs/CVE-2022-27782.html

Other issues listed in https://daniel.haxx.se/blog/2022/05/11/curl-7-83-1-it-burns/ don't affect 7.79.1. See #172576 for master.

Do inspect these patches as the CVE-2022-27782 TLS one in particular needed some mangling.

To aid testing, I've temporarily pushed two commits on here which:

I'll discard those before I un-draft this PR.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@risicle risicle added the 1.severity: security Issues which raise a security issue, or PRs that fix one label May 12, 2022
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 8.has: package (new) This PR adds a new package labels May 12, 2022
@ofborg ofborg bot requested review from adevress, edolstra, lovek323 and np May 12, 2022 02:06
@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels May 12, 2022
lheckemann
lheckemann approved these changes May 13, 2022
View reviewed changes
Copy link
Member

@lheckemann lheckemann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SSH patch looks fine to me.

@risicle risicle force-pushed the ris-curl-CVEs-202205-r21.11 branch from c55d0f3 to 9c3246a Compare May 13, 2022 19:59
vcunat added a commit that referenced this pull request May 15, 2022
@vcunat
Merge #172640: curl: patch CVE-2022-27781 & CVE-2022-27782
67e5b8d 
...into staging-21.11
@risicle risicle closed this May 15, 2022
@risicle risicle force-pushed the ris-curl-CVEs-202205-r21.11 branch from 9c3246a to 018e284 Compare May 15, 2022 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edolstra edolstra Awaiting requested review from edolstra

@lovek323 lovek323 Awaiting requested review from lovek323

@np np Awaiting requested review from np

@adevress adevress Awaiting requested review from adevress

1 more reviewer

@lheckemann lheckemann lheckemann approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risicle @lheckemann