guix_mirror_bot pushed a commit to branch misc-world-rebuild in repository guix.
commit 70c4e8e5e3d9d00a9e0ce9e09140564ab46845a8 Author: Yelninei <[email protected]> AuthorDate: Wed Apr 15 13:35:17 2026 +0000 gnu: curl: Update to 8.20. * gnu/packages/patches/curl-use-ssl-cert-env.patch: Refresh patch. * gnu/packages/patches/curl-CVE-2024-8096.patch: Delete patch. * gnu/local.mk (dist_patch_DATA): Deregister it. * gnu/packages/curl.scm (curl): Update to 8.20. [origin]: Remove curl-CVE-2024-8096.patch. [native-inputs]: Add openssl. [#:phases]: Add 'sanitize-libcurl.pc phase. Change-Id: I8e609ed8e0e337b42457ebc7bc646eeb454cc432 Merges: https://codeberg.org/guix/guix/pulls/7919 Signed-off-by: Nguyễn Gia Phong <[email protected]> --- gnu/local.mk | 1 - gnu/packages/curl.scm | 19 ++++--- gnu/packages/patches/curl-use-ssl-cert-env.patch | 66 ++++++++++++++---------- 3 files changed, 53 insertions(+), 33 deletions(-) diff --git a/gnu/local.mk b/gnu/local.mk index e766cbeff1..f3dcdeb02e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1173,7 +1173,6 @@ dist_patch_DATA = \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/cups-relax-root-ownership-check.patch \ %D%/packages/patches/cura-engine-gcc-14.patch \ - %D%/packages/patches/curl-CVE-2024-8096.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \ %D%/packages/patches/curlftpfs-fix-file-names.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 9d93530508..43c0725a88 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -68,16 +68,15 @@ (define-public curl (package (name "curl") - (version "8.6.0") + (version "8.20.0") (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-"; version ".tar.xz")) (sha256 (base32 - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w")) - (patches (search-patches "curl-use-ssl-cert-env.patch" - "curl-CVE-2024-8096.patch")))) + "15mqw8y9vdxlz9cpr2z7q9r6552wgs7q7vr2k7lfl35s930jvzk3")) + (patches (search-patches "curl-use-ssl-cert-env.patch")))) (outputs '("out" "doc")) ;1.2 MiB of man3 pages (build-system gnu-build-system) @@ -134,9 +133,17 @@ (display "1474\n" port) (display "1501\n" port) (close port))))) - #~())))) + #~()) + (add-after 'install 'sanitize-libcurl.pc + (lambda _ + ;; The pkgconfig file has all dependencies in Requires.private + ;; which is unnecessary for our shared library use and would + ;; require propagating them. + (substitute* (string-append #$output "/lib/pkgconfig/libcurl.pc") + (("^Requires.private:.*") ""))))))) (native-inputs - (list nghttp2 perl pkg-config python-minimal-wrapper)) + (list nghttp2 perl pkg-config python-minimal-wrapper + openssl)) ;for tests (inputs (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib)) (native-search-paths diff --git a/gnu/packages/patches/curl-use-ssl-cert-env.patch b/gnu/packages/patches/curl-use-ssl-cert-env.patch index c39c1f7e98..445e52c430 100644 --- a/gnu/packages/patches/curl-use-ssl-cert-env.patch +++ b/gnu/packages/patches/curl-use-ssl-cert-env.patch @@ -5,60 +5,74 @@ must be called when no other threads exist). This fixes network functionality in rust:cargo, and probably removes the need for other future workarounds. =================================================================== ---- curl-8.5.0.orig/lib/easy.c 2023-12-17 00:36:32.400468561 -0500 -+++ curl-8.5.0/lib/easy.c 2023-12-17 00:39:08.898612331 -0500 -@@ -137,6 +137,9 @@ +Index: curl-8.19.0/lib/easy.c +=================================================================== +--- curl-8.19.0.orig/lib/easy.c ++++ curl-8.19.0/lib/easy.c +@@ -117,6 +117,9 @@ curl_calloc_callback Curl_ccalloc = (cur static char *leakpointer; #endif - + +char * Curl_ssl_cert_dir = NULL; +char * Curl_ssl_cert_file = NULL; + /** * curl_global_init() globally initializes curl given a bitwise set of the * different features of what to initialize. -@@ -163,6 +166,9 @@ +@@ -140,6 +143,9 @@ static CURLcode global_init(long flags, goto fail; } - + + Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR"); + Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE"); + if(!Curl_ssl_init()) { - DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n")); + DEBUGF(curl_mfprintf(stderr, "Error: Curl_ssl_init failed\n")); goto fail; -@@ -287,6 +293,9 @@ +@@ -269,6 +275,9 @@ void curl_global_cleanup(void) Curl_ssl_cleanup(); - Curl_resolver_global_cleanup(); - + Curl_async_global_cleanup(); + + free(Curl_ssl_cert_dir); + free(Curl_ssl_cert_file); + #ifdef _WIN32 Curl_win32_cleanup(easy_init_flags); #endif -diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c ---- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100 -+++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100 -@@ -524,6 +524,21 @@ - if(result) - return result; +Index: curl-8.19.0/lib/vtls/vtls.c +=================================================================== +--- curl-8.19.0.orig/lib/vtls/vtls.c ++++ curl-8.19.0/lib/vtls/vtls.c +@@ -294,10 +294,8 @@ static void free_primary_ssl_config(stru + CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) + { + struct ssl_config_data *sslc = &data->set.ssl; +-#if defined(CURL_CA_PATH) || defined(CURL_CA_BUNDLE) + struct UserDefined *set = &data->set; + CURLcode result; +-#endif + + if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) { + #if defined(USE_APPLE_SECTRUST) || defined(CURL_CA_NATIVE) +@@ -318,6 +316,21 @@ CURLcode Curl_ssl_easy_config_complete(s + return result; + } #endif + extern char * Curl_ssl_cert_dir; + extern char * Curl_ssl_cert_file; + if(Curl_ssl_cert_dir) { -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) -+ return result; -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) -+ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir)) ++ return result; + } + + if(Curl_ssl_cert_file) { -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) -+ return result; -+ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) -+ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file)) ++ return result; ++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file)) ++ return result; + } } - - set->wildcard_enabled = FALSE; + sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE]; + sslc->primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
