Created attachment 244810 [details] Patch file Update to 8.3.0. ChangeLog: https://curl.se/changes.html#8_3_0 MFH: 2023Q3 Security: 833b469b-5247-11ee-9667-080027f5fec9
Created attachment 244811 [details] Patch file to update VuXML database Add entry to VuXML database.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a3dec5316c3e45a676eef22de283ad57ea6a3111 commit a3dec5316c3e45a676eef22de283ad57ea6a3111 Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2023-09-16 13:27:51 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2023-09-16 13:27:51 +0000 security/vuxml: Document cURL vulnerability PR: 273764 Reported by: yasu security/vuxml/attachment.cgi?id=244811 (new) | 57 +++++++++++++++++++++++++++ security/vuxml/vuln/2023.xml | 36 +++++++++++++++++ 2 files changed, 93 insertions(+)
Created attachment 244937 [details] git diff for ftp/curl Updated patch to remove CA_BUNDLE from default options. All supported versions of FreeBSD have the hashed certs in /etc/ssl/certs/ Validated that this works without the additional Mozilla bundle ``` ❯ curl -v https://freebsd.org -o/dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 96.47.72.84:443... * Connected to freebsd.org (96.47.72.84) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [314 bytes data] * CAfile: none * CApath: /etc/ssl/certs/ ```
(In reply to Bernard Spil from comment #3) Please note Bug 273440 which does the right thing. The CA_BUNDLE option is obsolete.
(In reply to Bernard Spil from comment #3) Please submit patch to remove CA_BUNDLE option as another bug report. There is no relation between updatging new version and removing CA_BUNDLE option.
(In reply to Yasuhiro Kimura from comment #5) I second that.
I'm a non-git user (I update with gitup), and therefore the first patch listed works for me ("patch -p1 < ftp_curl.patch"), but patch rejects the third patch listed. They sure look the same to me so I don't know why. And it doesn't matter in any case. I hope the change gets committed soon. Thanks to all for the good work!
(In reply to Michael Osipov from comment #4) In this regard I reported https://github.com/curl/curl/issues/11883 which should life easier on FreeBSD if you want to use wolfSSL.
(In reply to Yasuhiro Kimura from comment #0) I have used your patch on FreeBSD 12.4 to update to curl 8.3.0, but the new version of curl seems to need security/libgsasl as dependency (or does use it when available at build times). I do build packages on one system and then install on the others. On the build system security/libgsasl was already installed because of another dependency, but not on another one where ClamAV is installed. My monitoring started to complain with 'daily.cvd out of date by 27037 revisions', which is a completely wrong value, as when it happen, it will be only 1 revision behind (as checks now show, installed revision was 27037). So I tried to restart clamav-clamd and clamav-freshclam and got this error: Starting clamav_clamd. ld-elf.so.1: Shared object "libgsasl.so.18" not found, required by "libcurl.so.4" Also installing security/libgsasl helped and clamd was able to start again and my monitoring is also happy again.
(In reply to Fabian Wenk from comment #9) Can you provide full build log?
Created attachment 245091 [details] ftp-curl-build-20230921.txt (In reply to Michael Osipov from comment #10) I did just another run, output in the attached ftp-curl-build-20230921.txt.
Comment on attachment 245091 [details] ftp-curl-build-20230921.txt Please provide "ldd -a $(which curl)". I guess something else has pulled in libgsasl and curl just detects its presence.
(In reply to Michael Osipov from comment #12) In my case it was net-im/jabberd: riddler:~/ # pkg info -rd security/libgsasl libgsasl-2.2.0 Depends on : openssl30-3.0.11_1 libntlm-1.6 libgcrypt-1.10.2 gnutls-3.7.9 libidn-1.38 gettext-runtime-0.22_1 Required by : jabberd-2.7.0_5 riddler:~/ # riddler:~/ # ldd -a $(which curl) /usr/local/bin/curl: libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0x800289000) libz.so.6 => /lib/libz.so.6 (0x800331000) libthr.so.3 => /lib/libthr.so.3 (0x80034e000) libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libcurl.so.4: libnghttp2.so.14 => /usr/local/lib/libnghttp2.so.14 (0x800770000) libgsasl.so.18 => /usr/local/lib/libgsasl.so.18 (0x8007a2000) libssl.so.12 => /usr/local/lib/libssl.so.12 (0x8007c1000) libcrypto.so.12 => /usr/local/lib/libcrypto.so.12 (0x80086a000) libzstd.so.1 => /usr/local/lib/libzstd.so.1 (0x800cb2000) libz.so.6 => /lib/libz.so.6 (0x800331000) libthr.so.3 => /lib/libthr.so.3 (0x80034e000) libc.so.7 => /lib/libc.so.7 (0x80037c000) /lib/libz.so.6: libc.so.7 => /lib/libc.so.7 (0x80037c000) /lib/libthr.so.3: libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libnghttp2.so.14: libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libgsasl.so.18: libintl.so.8 => /usr/local/lib/libintl.so.8 (0x800d9d000) libidn.so.12 => /usr/local/lib/libidn.so.12 (0x800dc1000) libntlm.so.0 => /usr/local/lib/libntlm.so.0 (0x800df8000) libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libssl.so.12: libcrypto.so.12 => /usr/local/lib/libcrypto.so.12 (0x80086a000) libthr.so.3 => /lib/libthr.so.3 (0x80034e000) libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libcrypto.so.12: libthr.so.3 => /lib/libthr.so.3 (0x80034e000) libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libzstd.so.1: libthr.so.3 => /lib/libthr.so.3 (0x80034e000) libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libintl.so.8: libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libidn.so.12: libintl.so.8 => /usr/local/lib/libintl.so.8 (0x800d9d000) libc.so.7 => /lib/libc.so.7 (0x80037c000) /usr/local/lib/libntlm.so.0: libc.so.7 => /lib/libc.so.7 (0x80037c000) riddler:~/ #
(In reply to Fabian Wenk from comment #13) That's is interesting. Do you have a poudriere setup to try a clean build with default options? I cannot reproduce this here. I bet it is some combination of things.
(In reply to Michael Osipov from comment #14) Unfortunately I do not have a poudriere setup to run a clean build. I have used local builds on multiple systems with portinstall / portupgrade since ever. A longer while ago I started to build some packages to be installed on the others and this now has ended in a kind of complete "custom" build environment. I have described it in bug #270157 and now it also has NFS shared /usr/ports/ and /var/db/ports/ (started to have them manually in sync before, and finally had only to merge a few manually). So the configuration history of some ports may be quite old.
(In reply to Fabian Wenk from comment #15) I highly recommend to set this up sooner or later. It makes tackling issues quite hard. (In reply to Fabian Wenk from comment #13) Yes, it is > ./net-im/jabberd/Makefile: libgsasl.so:security/libgsasl It sneaked it. Logically, for all frameworks you might have installed and curl might detect automatically one needs to pass --disable-X/--without-X, but that applies to all ports. I don't think that this is feature. So you have two options: 1. Modify CONFIGURE_ARGS+=--without-libgsasl 2. Build with poudriere where this likely will not sneak in (not tested)
Well, the patch has been committed [1], but this issue not processed :-( [1] https://github.com/freebsd/freebsd-ports/commit/06bb67aa586fbb299d33d3d2b119f63e2473b0f5
On main branch ftp/curl is updated to 8.3.0 with ports 06bb67aa586f, and 2023Q4 branch also includes it.