From 140fde4c343963235556c3793e56b51b50f4acb4 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sat, 7 Jun 2025 23:34:17 +0200 Subject: curl: upgrade 8.12.1 -> 8.14.1 Handle CVE-2025-4947 and CVE-2025-5025. CVE-2025-5399 fixed in 8.14.1 was introduced only in 8.13.0, so Yocto never had version vulnerable to it. Rebase patches. Add openssl-native dependency fo ptest to fix following error: Missing or broken 'openssl' tool. openssl 1.0.2+ is required. Without it, this script cannot generate the necessary certificates the curl test suite needs for all its TLS related tests. at ../../../curl-8.14.0/tests/certs/genserv.pl line 33. Install curlinfo for tests required since 8.14.0 https://github.com/curl/curl/commit/7a1211d474afd4e36bfb39f2b870a418bce42138 (From OE-Core rev: d990ee6c49e3fcf969e54688397d47f0d0892ba1) Signed-off-by: Peter Marko Signed-off-by: Richard Purdie --- .../curl/curl/no-test-timeout.patch | 2 +- meta/recipes-support/curl/curl_8.12.1.bb | 166 -------------------- meta/recipes-support/curl/curl_8.14.1.bb | 171 +++++++++++++++++++++ 3 files changed, 172 insertions(+), 167 deletions(-) delete mode 100644 meta/recipes-support/curl/curl_8.12.1.bb create mode 100644 meta/recipes-support/curl/curl_8.14.1.bb diff --git a/meta/recipes-support/curl/curl/no-test-timeout.patch b/meta/recipes-support/curl/curl/no-test-timeout.patch index 677d177302..5b901a6fe9 100644 --- a/meta/recipes-support/curl/curl/no-test-timeout.patch +++ b/meta/recipes-support/curl/curl/no-test-timeout.patch @@ -14,7 +14,7 @@ diff --git a/tests/servers.pm b/tests/servers.pm index d4472d5..9999938 100644 --- a/tests/servers.pm +++ b/tests/servers.pm -@@ -123,7 +123,7 @@ my $sshdverstr; # for socks server, ssh daemon version string +@@ -124,7 +124,7 @@ my $sshdverstr; # for socks server, ssh daemon version string my $sshderror; # for socks server, ssh daemon version error my %doesntrun; # servers that don't work, identified by pidfile my %PORT = (nolisten => 47); # port we use for a local non-listening service diff --git a/meta/recipes-support/curl/curl_8.12.1.bb b/meta/recipes-support/curl/curl_8.12.1.bb deleted file mode 100644 index 4192693da8..0000000000 --- a/meta/recipes-support/curl/curl_8.12.1.bb +++ /dev/null @@ -1,166 +0,0 @@ -SUMMARY = "Command line tool and library for client-side URL transfers" -DESCRIPTION = "It uses URL syntax to transfer data to and from servers. \ -curl is a widely used because of its ability to be flexible and complete \ -complex tasks. For example, you can use curl for things like user authentication, \ -HTTP post, SSL connections, proxy support, FTP uploads, and more!" -HOMEPAGE = "https://curl.se/" -BUGTRACKER = "https://github.com/curl/curl/issues" -SECTION = "console/network" -LICENSE = "curl" -LIC_FILES_CHKSUM = "file://COPYING;md5=72f4e9890e99e68d77b7e40703d789b8" - -SRC_URI = " \ - https://curl.se/download/${BP}.tar.xz \ - file://run-ptest \ - file://disable-tests \ - file://no-test-timeout.patch \ -" - -SRC_URI:append:class-nativesdk = " \ - file://environment.d-curl.sh \ -" - -SRC_URI[sha256sum] = "0341f1ed97a26c811abaebd37d62b833956792b7607ea3f15d001613c76de202" - -# Curl has used many names over the years... -CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" -CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack" - -inherit autotools pkgconfig binconfig multilib_header ptest - -COMMON_PACKAGECONFIG = "basic-auth bearer-auth digest-auth ipfs negotiate-auth openssl proxy threaded-resolver verbose zlib" -PACKAGECONFIG ??= "${COMMON_PACKAGECONFIG} ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} aws libidn" -PACKAGECONFIG:class-native = "${COMMON_PACKAGECONFIG} ipv6" -PACKAGECONFIG:class-nativesdk = "${COMMON_PACKAGECONFIG} ipv6" - -# 'ares' and 'threaded-resolver' are mutually exclusive -PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver" -PACKAGECONFIG[aws] = "--enable-aws,--disable-aws" -PACKAGECONFIG[basic-auth] = "--enable-basic-auth,--disable-basic-auth" -PACKAGECONFIG[bearer-auth] = "--enable-bearer-auth,--disable-bearer-auth" -PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli" -PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual" -# Don't use this in production -PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" -PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," -PACKAGECONFIG[digest-auth] = "--enable-digest-auth,--disable-digest-auth" -PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls" -PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher," -PACKAGECONFIG[imap] = "--enable-imap,--disable-imap," -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," -PACKAGECONFIG[ipfs] = "--enable-ipfs,--disable-ipfs," -PACKAGECONFIG[kerberos-auth] = "--enable-kerberos-auth,--disable-kerberos-auth" -PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5" -PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap" -PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps,openldap" -PACKAGECONFIG[libgsasl] = "--with-libgsasl,--without-libgsasl,libgsasl" -PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2" -PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2" -PACKAGECONFIG[mbedtls] = "--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls" -PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt," -PACKAGECONFIG[negotiate-auth] = "--enable-negotiate-auth,--disable-negotiate-auth" -PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2" -PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl" -PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3," -PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy," -PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump" -PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp," -PACKAGECONFIG[smb] = "--enable-smb,--disable-smb," -PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," -PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet," -PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp," -PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares" -PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" -PACKAGECONFIG[websockets] = "--enable-websockets,--disable-websockets" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" -PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd" - -EXTRA_OECONF = " \ - --disable-libcurl-option \ - --without-libpsl \ - --enable-optimize \ - ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \ - WATT_ROOT=${STAGING_DIR_TARGET}${prefix} \ -" -EXTRA_OECONF:append:class-target = " \ - --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ -" - -fix_absolute_paths () { - # cleanup buildpaths from curl-config - sed -i \ - -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ - -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \ - -e 's|${DEBUG_PREFIX_MAP}||g' \ - -e 's|${@" ".join(d.getVar("DEBUG_PREFIX_MAP").split())}||g' \ - ${D}${bindir}/curl-config -} - -do_install:append:class-target() { - fix_absolute_paths -} - -do_install:append:class-nativesdk() { - fix_absolute_paths - - mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d - install -m 644 ${UNPACKDIR}/environment.d-curl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/curl.sh -} - -do_compile_ptest() { - oe_runmake -C ${B}/tests -} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - cp ${S}/tests/*.p[lmy] ${D}${PTEST_PATH}/tests/ - - install -d ${D}${PTEST_PATH}/tests/libtest - for name in $(makefile-getvar ${B}/tests/libtest/Makefile noinst_PROGRAMS noinst_LTLIBRARIES); do - ${B}/libtool --mode=install install ${B}/tests/libtest/$name ${D}${PTEST_PATH}/tests/libtest - done - rm -f ${D}${PTEST_PATH}/tests/libtest/libhostname.la - - install -d ${D}${PTEST_PATH}/tests/server - for name in $(makefile-getvar ${B}/tests/server/Makefile noinst_PROGRAMS); do - ${B}/libtool --mode=install install ${B}/tests/server/$name ${D}${PTEST_PATH}/tests/server - done - - cp -r ${S}/tests/data ${D}${PTEST_PATH}/tests/ - - # More tests that we disable for automated QA as they're not reliable - cat ${UNPACKDIR}/disable-tests >>${D}${PTEST_PATH}/tests/data/DISABLED -} - -RDEPENDS:${PN}-ptest += " \ - locale-base-en-us \ - perl-module-b \ - perl-module-base \ - perl-module-cwd \ - perl-module-digest \ - perl-module-digest-md5 \ - perl-module-digest-sha \ - perl-module-file-basename \ - perl-module-file-spec \ - perl-module-file-temp \ - perl-module-i18n-langinfo \ - perl-module-io-socket \ - perl-module-ipc-open2 \ - perl-module-list-util \ - perl-module-memoize \ - perl-module-storable \ - perl-module-time-hires \ -" - -PACKAGES =+ "lib${BPN}" - -FILES:lib${BPN} = "${libdir}/lib*.so.*" -RRECOMMENDS:lib${BPN} += "ca-certificates" - -FILES:${PN} += "${datadir}/zsh" -FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/curl.sh" - -inherit multilib_script -MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/curl-config" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/curl/curl_8.14.1.bb b/meta/recipes-support/curl/curl_8.14.1.bb new file mode 100644 index 0000000000..08ad9cdb17 --- /dev/null +++ b/meta/recipes-support/curl/curl_8.14.1.bb @@ -0,0 +1,171 @@ +SUMMARY = "Command line tool and library for client-side URL transfers" +DESCRIPTION = "It uses URL syntax to transfer data to and from servers. \ +curl is a widely used because of its ability to be flexible and complete \ +complex tasks. For example, you can use curl for things like user authentication, \ +HTTP post, SSL connections, proxy support, FTP uploads, and more!" +HOMEPAGE = "https://curl.se/" +BUGTRACKER = "https://github.com/curl/curl/issues" +SECTION = "console/network" +LICENSE = "curl" +LIC_FILES_CHKSUM = "file://COPYING;md5=72f4e9890e99e68d77b7e40703d789b8" + +SRC_URI = " \ + https://curl.se/download/${BP}.tar.xz \ + file://run-ptest \ + file://disable-tests \ + file://no-test-timeout.patch \ +" + +SRC_URI:append:class-nativesdk = " \ + file://environment.d-curl.sh \ +" + +SRC_URI[sha256sum] = "f4619a1e2474c4bbfedc88a7c2191209c8334b48fa1f4e53fd584cc12e9120dd" + +# Curl has used many names over the years... +CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" +CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack" + +inherit autotools pkgconfig binconfig multilib_header ptest + +COMMON_PACKAGECONFIG = "basic-auth bearer-auth digest-auth ipfs negotiate-auth openssl proxy threaded-resolver verbose zlib" +PACKAGECONFIG ??= "${COMMON_PACKAGECONFIG} ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} aws libidn" +PACKAGECONFIG:class-native = "${COMMON_PACKAGECONFIG} ipv6" +PACKAGECONFIG:class-nativesdk = "${COMMON_PACKAGECONFIG} ipv6" + +# 'ares' and 'threaded-resolver' are mutually exclusive +PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver" +PACKAGECONFIG[aws] = "--enable-aws,--disable-aws" +PACKAGECONFIG[basic-auth] = "--enable-basic-auth,--disable-basic-auth" +PACKAGECONFIG[bearer-auth] = "--enable-bearer-auth,--disable-bearer-auth" +PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli" +PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual" +# Don't use this in production +PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" +PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," +PACKAGECONFIG[digest-auth] = "--enable-digest-auth,--disable-digest-auth" +PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls" +PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher," +PACKAGECONFIG[imap] = "--enable-imap,--disable-imap," +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[ipfs] = "--enable-ipfs,--disable-ipfs," +PACKAGECONFIG[kerberos-auth] = "--enable-kerberos-auth,--disable-kerberos-auth" +PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5" +PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap" +PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps,openldap" +PACKAGECONFIG[libgsasl] = "--with-libgsasl,--without-libgsasl,libgsasl" +PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2" +PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2" +PACKAGECONFIG[mbedtls] = "--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls" +PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt," +PACKAGECONFIG[negotiate-auth] = "--enable-negotiate-auth,--disable-negotiate-auth" +PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2" +PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl" +PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3," +PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy," +PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump" +PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp," +PACKAGECONFIG[smb] = "--enable-smb,--disable-smb," +PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," +PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet," +PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp," +PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares" +PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" +PACKAGECONFIG[websockets] = "--enable-websockets,--disable-websockets" +PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" +PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd" + +EXTRA_OECONF = " \ + --disable-libcurl-option \ + --without-libpsl \ + --enable-optimize \ + ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \ + WATT_ROOT=${STAGING_DIR_TARGET}${prefix} \ +" +EXTRA_OECONF:append:class-target = " \ + --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ +" + +fix_absolute_paths () { + # cleanup buildpaths from curl-config + sed -i \ + -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's|${DEBUG_PREFIX_MAP}||g' \ + -e 's|${@" ".join(d.getVar("DEBUG_PREFIX_MAP").split())}||g' \ + ${D}${bindir}/curl-config +} + +do_install:append:class-target() { + fix_absolute_paths +} + +do_install:append:class-nativesdk() { + fix_absolute_paths + + mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d + install -m 644 ${UNPACKDIR}/environment.d-curl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/curl.sh +} + +do_compile_ptest() { + oe_runmake -C ${B}/tests +} + +do_install_ptest() { + install -d ${D}${PTEST_PATH}/tests + cp ${S}/tests/*.p[lmy] ${D}${PTEST_PATH}/tests/ + + install -d ${D}${PTEST_PATH}/tests/libtest + for name in $(makefile-getvar ${B}/tests/libtest/Makefile noinst_PROGRAMS noinst_LTLIBRARIES); do + ${B}/libtool --mode=install install ${B}/tests/libtest/$name ${D}${PTEST_PATH}/tests/libtest + done + rm -f ${D}${PTEST_PATH}/tests/libtest/libhostname.la + + install -d ${D}${PTEST_PATH}/tests/server + for name in $(makefile-getvar ${B}/tests/server/Makefile noinst_PROGRAMS); do + ${B}/libtool --mode=install install ${B}/tests/server/$name ${D}${PTEST_PATH}/tests/server + done + + install -d ${D}${PTEST_PATH}/src + install -m 755 ${B}/src/curlinfo ${D}${PTEST_PATH}/src + + cp -r ${S}/tests/data ${D}${PTEST_PATH}/tests/ + + # More tests that we disable for automated QA as they're not reliable + cat ${UNPACKDIR}/disable-tests >>${D}${PTEST_PATH}/tests/data/DISABLED +} + +DEPENDS:append:class-target = "${@bb.utils.contains('PTEST_ENABLED', '1', ' openssl-native', '', d)}" + +RDEPENDS:${PN}-ptest += " \ + locale-base-en-us \ + perl-module-b \ + perl-module-base \ + perl-module-cwd \ + perl-module-digest \ + perl-module-digest-md5 \ + perl-module-digest-sha \ + perl-module-file-basename \ + perl-module-file-spec \ + perl-module-file-temp \ + perl-module-i18n-langinfo \ + perl-module-io-socket \ + perl-module-ipc-open2 \ + perl-module-list-util \ + perl-module-memoize \ + perl-module-storable \ + perl-module-time-hires \ +" + +PACKAGES =+ "lib${BPN}" + +FILES:lib${BPN} = "${libdir}/lib*.so.*" +RRECOMMENDS:lib${BPN} += "ca-certificates" + +FILES:${PN} += "${datadir}/zsh" +FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/curl.sh" + +inherit multilib_script +MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/curl-config" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf