Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: c...@packages.debian.org User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: samuel...@debian.org Severity: normal
Please unblock curl/7.88.1-9.
[ Reason ]
Changes that affect the resulting binaries:
[ Sergio Durigan Junior ]
* d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
Don't prepend "nss" when opening libnssckbi.so. (Closes: #1034359)
[ Samuel Henrique ]
* d/p/fix-unix-domain-socket.patch: Import upstream patch to fix --unix
(closes: #1033963)
The first change is an important fix to address a regression introduced
by the previous
"Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch".
Unfortunately, it is currently not possible for users of NSS-enabled
libcurl to fetch data from HTTPS URIs. With this one-liner fix, the
previous behaviour is restored while at the same time keeping the
benefits of being able to dynamically load libnss-pem.
The second change is a backport of an upstream patch to fix the use of
UNIX domain sockets (via --unix) in HTTPS scenarios. An important fix
for those who rely on these features.
Changes that don't affect the resulting binaries:
[ Samuel Henrique ]
* Update list of tests that fail on IPv6-only envs and don't skip them on
autopkgtest
This change updates (and reduces) the list of tests to be skipped on
IPv6-only environments. This should increase our test coverage in
debci.
[ Impact ]
With this update, users who rely on the NSS-enabled libcurl will be able
to fetch data from HTTPS URIs again.
[ Tests ]
All build tests passed.
[ Risks ]
After some extensive tests, I believe I covered all scenarios where an
NSS-enabled libcurl could be used. Unfortunately, the patch to make
libcurl able to find and load libnss-pem is still a bit hack-ish, so
there's always the possibility of a problem creeping in. I'm confident
that the chance of such regression happening is unlikely, though.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I understand that the release team is probably very busy these days, and
appreciate all the work you have done. If it is not too much
inconvenience for you, it would be great to have this version of curl
unblocked in the near future, in order to address the NSS regression.
Thank you in advance.
unblock curl/7.88.1-9
--
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
https://sergiodj.net/
diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog 2023-03-26 06:36:24.000000000 -0400
+++ curl-7.88.1/debian/changelog 2023-04-15 15:03:44.000000000 -0400
@@ -1,3 +1,17 @@
+curl (7.88.1-9) unstable; urgency=medium
+
+ [ Sergio Durigan Junior ]
+ * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
+ Don't prepend "nss" when opening libnssckbi.so. (Closes: #1034359)
+
+ [ Samuel Henrique ]
+ * Update list of tests that fail on IPv6-only envs and don't skip them on
+ autopkgtest
+ * d/p/fix-unix-domain-socket.patch: Import upstream patch to fix --unix
+ (closes: #1033963)
+
+ -- Samuel Henrique <samuel...@debian.org> Sat, 15 Apr 2023 20:03:44 +0100
+
curl (7.88.1-8) unstable; urgency=medium
[ Samuel Henrique ]
diff -Nru curl-7.88.1/debian/patches/fix-unix-domain-socket.patch curl-7.88.1/debian/patches/fix-unix-domain-socket.patch
--- curl-7.88.1/debian/patches/fix-unix-domain-socket.patch 1969-12-31 19:00:00.000000000 -0500
+++ curl-7.88.1/debian/patches/fix-unix-domain-socket.patch 2023-04-15 15:03:44.000000000 -0400
@@ -0,0 +1,211 @@
+From 873f9fccca3645ffa41ad1f26355860fd925eb18 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <ste...@eissing.org>
+Date: Tue, 28 Feb 2023 10:07:21 +0100
+Subject: [PATCH] Fixing unix domain socket use in https connects.
+
+- refs #10633, when h2/h3 eyeballing was involved, unix domain socket
+ configurations were not honoured
+- configuring --unix-socket will disable HTTP/3 as candidate for eyeballing
+- combinatino of --unix-socket and --http3-only will fail during initialisation
+- adding pytest test_11 to reproduce
+---
+ lib/cf-http.c | 6 +-
+ lib/http.c | 6 +-
+ lib/vquic/vquic.c | 4 +
+ tests/tests-httpd/test_11_unix.py | 129 ++++++++++++++++++++++++++++++
+ 4 files changed, 138 insertions(+), 7 deletions(-)
+ create mode 100644 tests/tests-httpd/test_11_unix.py
+
+Index: curl/lib/cf-http.c
+===================================================================
+--- curl.orig/lib/cf-http.c
++++ curl/lib/cf-http.c
+@@ -266,7 +266,8 @@ static CURLcode cf_hc_connect(struct Cur
+ Curl_expire(data, ctx->soft_eyeballs_timeout_ms, EXPIRE_ALPN_EYEBALLS);
+ }
+ else if(ctx->h21_baller.enabled)
+- cf_hc_baller_init(&ctx->h21_baller, cf, data, "h21", TRNSPRT_TCP);
++ cf_hc_baller_init(&ctx->h21_baller, cf, data, "h21",
++ cf->conn->transport);
+ ctx->state = CF_HC_CONNECT;
+ /* FALLTHROUGH */
+
+@@ -280,7 +281,8 @@ static CURLcode cf_hc_connect(struct Cur
+ }
+
+ if(time_to_start_h21(cf, data, now)) {
+- cf_hc_baller_init(&ctx->h21_baller, cf, data, "h21", TRNSPRT_TCP);
++ cf_hc_baller_init(&ctx->h21_baller, cf, data, "h21",
++ cf->conn->transport);
+ }
+
+ if(cf_hc_baller_is_active(&ctx->h21_baller)) {
+Index: curl/lib/http.c
+===================================================================
+--- curl.orig/lib/http.c
++++ curl/lib/http.c
+@@ -234,14 +234,10 @@ static CURLcode http_setup_conn(struct C
+ Curl_mime_initpart(&http->form);
+ data->req.p.http = http;
+
+- if((data->state.httpwant == CURL_HTTP_VERSION_3)
+- || (data->state.httpwant == CURL_HTTP_VERSION_3ONLY)) {
++ if(data->state.httpwant == CURL_HTTP_VERSION_3ONLY) {
+ CURLcode result = Curl_conn_may_http3(data, conn);
+ if(result)
+ return result;
+-
+- /* TODO: HTTP lower version eyeballing */
+- conn->transport = TRNSPRT_QUIC;
+ }
+
+ return CURLE_OK;
+Index: curl/lib/vquic/vquic.c
+===================================================================
+--- curl.orig/lib/vquic/vquic.c
++++ curl/lib/vquic/vquic.c
+@@ -363,6 +363,10 @@ bool Curl_conn_is_http3(const struct Cur
+ CURLcode Curl_conn_may_http3(struct Curl_easy *data,
+ const struct connectdata *conn)
+ {
++ if(conn->transport == TRNSPRT_UNIX) {
++ /* cannot do QUIC over a unix domain socket */
++ return CURLE_QUIC_CONNECT_ERROR;
++ }
+ if(!(conn->handler->flags & PROTOPT_SSL)) {
+ failf(data, "HTTP/3 requested for non-HTTPS URL");
+ return CURLE_URL_MALFORMAT;
+Index: curl/tests/tests-httpd/test_11_unix.py
+===================================================================
+--- /dev/null
++++ curl/tests/tests-httpd/test_11_unix.py
+@@ -0,0 +1,129 @@
++#!/usr/bin/env python3
++# -*- coding: utf-8 -*-
++#***************************************************************************
++# _ _ ____ _
++# Project ___| | | | _ \| |
++# / __| | | | |_) | |
++# | (__| |_| | _ <| |___
++# \___|\___/|_| \_\_____|
++#
++# Copyright (C) 2008 - 2022, Daniel Stenberg, <dan...@haxx.se>, et al.
++#
++# This software is licensed as described in the file COPYING, which
++# you should have received as part of this distribution. The terms
++# are also available at https://curl.se/docs/copyright.html.
++#
++# You may opt to use, copy, modify, merge, publish, distribute and/or sell
++# copies of the Software, and permit persons to whom the Software is
++# furnished to do so, under the terms of the COPYING file.
++#
++# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++# KIND, either express or implied.
++#
++# SPDX-License-Identifier: curl
++#
++###########################################################################
++#
++import logging
++import os
++import socket
++from threading import Thread
++import pytest
++
++from testenv import Env, CurlClient
++
++
++log = logging.getLogger(__name__)
++
++class UDSFaker:
++
++ def __init__(self, path):
++ self._uds_path = path
++ self._done = False
++
++ @property
++ def path(self):
++ return self._uds_path
++
++ def start(self):
++ def process(self):
++ self._socket.listen(1)
++ self._process()
++
++ try:
++ os.unlink(self._uds_path)
++ except OSError:
++ if os.path.exists(self._uds_path):
++ raise
++ self._socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
++ self._socket.bind(self._uds_path)
++ self._thread = Thread(target=process, daemon=True, args=[self])
++ self._thread.start()
++
++ def stop(self):
++ self._done = True
++ self._socket.close()
++
++ def _process(self):
++ while self._done is False:
++ try:
++ c, client_address = self._socket.accept()
++ try:
++ data = c.recv(16)
++ c.sendall("""HTTP/1.1 200 Ok
++Server: UdsFaker
++Content-Type: application/json
++Content-Length: 19
++
++{ "host": "faked" }""".encode())
++ finally:
++ c.close()
++
++ except ConnectionAbortedError:
++ self._done = True
++
++
++
++@pytest.mark.skipif(condition=Env.setup_incomplete(),
++ reason=f"missing: {Env.incomplete_reason()}")
++class TestUnix:
++
++ @pytest.fixture(scope="class")
++ def uds_faker(self, env: Env) -> UDSFaker:
++ uds_path = os.path.join(env.gen_dir, 'uds_11.sock')
++ faker = UDSFaker(path=uds_path)
++ faker.start()
++ yield faker
++ faker.stop()
++
++ # download http: via unix socket
++ def test_11_01_unix_connect_http(self, env: Env, httpd, uds_faker, repeat):
++ curl = CurlClient(env=env)
++ url = f'http://{env.domain1}:{env.http_port}/data.json'
++ r = curl.http_download(urls=[url], with_stats=True,
++ extra_args=[
++ '--unix-socket', uds_faker.path,
++ ])
++ assert r.exit_code == 0
++ r.check_stats(count=1, exp_status=200)
++
++ # download https: via unix socket
++ def test_11_02_unix_connect_http(self, env: Env, httpd, uds_faker, repeat):
++ curl = CurlClient(env=env)
++ url = f'https://{env.domain1}:{env.https_port}/data.json'
++ r = curl.http_download(urls=[url], with_stats=True,
++ extra_args=[
++ '--unix-socket', uds_faker.path,
++ ])
++ assert r.exit_code == 35 # CONNECT_ERROR (as faker is not TLS)
++
++ # download HTTP/3 via unix socket
++ def test_11_03_unix_connect_quic(self, env: Env, httpd, uds_faker, repeat):
++ curl = CurlClient(env=env)
++ url = f'https://{env.domain1}:{env.https_port}/data.json'
++ r = curl.http_download(urls=[url], with_stats=True,
++ alpn_proto='h3',
++ extra_args=[
++ '--unix-socket', uds_faker.path,
++ ])
++ assert r.exit_code == 96 # QUIC CONNECT ERROR
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series 2023-03-26 06:36:24.000000000 -0400
+++ curl-7.88.1/debian/patches/series 2023-04-15 15:03:44.000000000 -0400
@@ -6,6 +6,8 @@
Remove-curl-s-LDFLAGS-from-curl-config-static-libs.patch
Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch
+fix-unix-domain-socket.patch
+
# CVE fixes.
CVE-2023-27533.patch
CVE-2023-27534.patch
diff -Nru curl-7.88.1/debian/patches/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch curl-7.88.1/debian/patches/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch
--- curl-7.88.1/debian/patches/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch 2023-03-26 06:36:24.000000000 -0400
+++ curl-7.88.1/debian/patches/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch 2023-04-13 18:19:47.000000000 -0400
@@ -22,7 +22,7 @@
+#endif
+
+static const char *pem_library = "/usr/lib/" _DEB_HOST_ARCH "/nss/libnsspem.so";
-+static const char *trust_library = "/usr/lib/" _DEB_HOST_ARCH "/nss/libnssckbi.so";
++static const char *trust_library = "/usr/lib/" _DEB_HOST_ARCH "/libnssckbi.so";
#endif
static SECMODModule *pem_module = NULL;
diff -Nru curl-7.88.1/debian/rules curl-7.88.1/debian/rules
--- curl-7.88.1/debian/rules 2023-03-26 06:36:24.000000000 -0400
+++ curl-7.88.1/debian/rules 2023-04-15 15:03:44.000000000 -0400
@@ -115,7 +115,7 @@
# These tests fail if a IPv6-only builder is used:
# https://bugs.debian.org/1032343
# https://github.com/curl/curl/issues/10682
-TESTS_FAILS_ON_IPV6_ONLY_MACHINES += $(addprefix ~, 300 301 303 304 306 309 310 325 364 400 401 403 406 407 408 409 410 414 417 560 678 1112 1272 1561 1562 1630 1631 1632 2034 2037 2041 3000 3001)
+TESTS_FAILS_ON_IPV6_ONLY_MACHINES ?= $(addprefix ~, 300 301 303 304 306 309 310 325 364 400 401 403 406 407 408 409 410 414 417 560 678 987 988 989 1112 1272 1470 1561 1562 1630 1631 1632 2034 2037 2041 3000 3001)
TESTS_GENERAL_PARAMETERS += $(TESTS_FAILS_ON_IPV6_ONLY_MACHINES)
diff -Nru curl-7.88.1/debian/tests/upstream-tests-gnutls curl-7.88.1/debian/tests/upstream-tests-gnutls
--- curl-7.88.1/debian/tests/upstream-tests-gnutls 2023-03-26 06:36:24.000000000 -0400
+++ curl-7.88.1/debian/tests/upstream-tests-gnutls 2023-04-15 15:03:44.000000000 -0400
@@ -13,6 +13,14 @@
export DEB_BUILD_PROFILES="pkg.curl.gnutls-only"
export VERBOSE=1
+# Don't skip tests which fail on ipv6-only environments for autopkgtests.
+# I'm not aware of runners with this configuration for debci, and a retry
+# should be easy enough it it happens.
+# References:
+# https://bugs.debian.org/1032343
+# https://github.com/curl/curl/issues/10682
+export TESTS_FAILS_ON_IPV6_ONLY_MACHINES=""
+
echo "dh_update_autotools_config"
dh_update_autotools_config
diff -Nru curl-7.88.1/debian/tests/upstream-tests-nss curl-7.88.1/debian/tests/upstream-tests-nss
--- curl-7.88.1/debian/tests/upstream-tests-nss 2023-03-26 06:36:24.000000000 -0400
+++ curl-7.88.1/debian/tests/upstream-tests-nss 2023-04-15 15:03:44.000000000 -0400
@@ -13,6 +13,14 @@
export DEB_BUILD_PROFILES="pkg.curl.nss-only"
export VERBOSE=1
+# Don't skip tests which fail on ipv6-only environments for autopkgtests.
+# I'm not aware of runners with this configuration for debci, and a retry
+# should be easy enough it it happens.
+# References:
+# https://bugs.debian.org/1032343
+# https://github.com/curl/curl/issues/10682
+export TESTS_FAILS_ON_IPV6_ONLY_MACHINES=""
+
echo "dh_update_autotools_config"
dh_update_autotools_config
diff -Nru curl-7.88.1/debian/tests/upstream-tests-openssl curl-7.88.1/debian/tests/upstream-tests-openssl
--- curl-7.88.1/debian/tests/upstream-tests-openssl 2023-03-26 06:36:24.000000000 -0400
+++ curl-7.88.1/debian/tests/upstream-tests-openssl 2023-04-15 15:03:44.000000000 -0400
@@ -15,6 +15,14 @@
TESTS_GENERAL_PARAMETERS="-vc /usr/bin/curl"
export TESTS_GENERAL_PARAMETERS
+# Don't skip tests which fail on ipv6-only environments for autopkgtests.
+# I'm not aware of runners with this configuration for debci, and a retry
+# should be easy enough it it happens.
+# References:
+# https://bugs.debian.org/1032343
+# https://github.com/curl/curl/issues/10682
+export TESTS_FAILS_ON_IPV6_ONLY_MACHINES=""
+
echo "dh_update_autotools_config"
dh_update_autotools_config
signature.asc
Description: PGP signature
