It looks like we build without metalink anyway ... so is this CVE applicable to us?
Thanks, Anuj On Tue, 2021-10-26 at 14:36 +0800, Yu, Mingli wrote: > From: Mingli Yu <mingli...@windriver.com> > > Backport patch to remove metalink [1] to fix below CVEs: > - CVE-2021-22922 [2] > - CVE-2021-22923 [3] > > [1] > https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693 > [2] https://curl.se/docs/CVE-2021-22922.html > [3] https://curl.se/docs/CVE-2021-22923.html > > Signed-off-by: Mingli Yu <mingli...@windriver.com> > --- > .../curl/curl/0001-metalink-remove.patch | 194 > ++++++++++++++++++ > meta/recipes-support/curl/curl_7.75.0.bb | 2 +- > 2 files changed, 195 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-support/curl/curl/0001-metalink- > remove.patch > > diff --git a/meta/recipes-support/curl/curl/0001-metalink- > remove.patch b/meta/recipes-support/curl/curl/0001-metalink- > remove.patch > new file mode 100644 > index 0000000000..a76e720215 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/0001-metalink-remove.patch > @@ -0,0 +1,194 @@ > +From ef339d19b688e0d4c9b6ff2bd5b5cd54af9e1dbf Mon Sep 17 00:00:00 > 2001 > +From: Daniel Stenberg <dan...@haxx.se> > +Date: Tue, 26 Oct 2021 11:10:31 +0800 > +Subject: [PATCH] metalink: remove > + > +Warning: this will make existing curl command lines that use > metalink to > +stop working. > + > +Reasons for removal: > + > +1. We've found several security problems and issues involving the > + metalink support in curl. The issues are not detailed here. When > + working on those, it become apparent to the team that several of > the > + problems are due to the system design, metalink library API and > what > + the metalink RFC says. They are very hard to fix on the curl side > + only. > + > +2. The metalink usage with curl was only very briefly documented and > was > + not following the "normal" curl usage pattern in several ways, > making > + it surprising and non-intuitive which could lead to further > security > + issues. > + > +3. The metalink library was last updated 6 years ago and wasn't so > + active the years before that either. An unmaintained library > means > + there's a security problem waiting to happen. This is probably > reason > + enough. > + > +4. Metalink requires an XML parsing library, which is complex code > (even > + the smaller alternatives) and to this day often gets security > + updates. > + > +5. Metalink is not a widely used curl feature. In the 2020 curl user > + survey, only 1.4% of the responders said that they'd are using > it. In > + 2021 that number was 1.2%. Searching the web also show very few > + traces of it being used, even with other tools. > + > +6. The torrent format and associated technology clearly won for > + downloading large files from multiple sources in parallel. > + > +Cloes #7176 > + > +CVE: CVE-2021-22922 CVE-2021-22923 > + > +Upstream-Status: Backport > [https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693 > ] > + > +Signed-off-by: Mingli Yu <mingli...@windriver.com> > +--- > + configure.ac | 96 ++-------------------------------------------- > --- > + src/Makefile.am | 9 ++--- > + 2 files changed, 5 insertions(+), 100 deletions(-) > + > +diff --git a/configure.ac b/configure.ac > +index 816f044..715fe26 100755 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -162,7 +162,6 @@ curl_verbose_msg="enabled (--disable-verbose)" > + curl_ldaps_msg="no (--enable-ldaps)" > + curl_rtsp_msg="no (--enable-rtsp)" > + curl_rtmp_msg="no (--with-librtmp)" > +- curl_mtlnk_msg="no (--with-libmetalink)" > + curl_psl_msg="no (--with-libpsl)" > + curl_altsvc_msg="enabled"; > + ssl_backends= > +@@ -2895,99 +2894,8 @@ if test $with_libpsl != "no"; then > + fi > + AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "enabled"]) > + > +-dnl > ********************************************************************* > * > +-dnl Check for libmetalink > +-dnl > ********************************************************************* > * > +- > +-OPT_LIBMETALINK=no > +- > +-AC_ARG_WITH(libmetalink,dnl > +-AC_HELP_STRING([--with-libmetalink=PATH],[where to look for > libmetalink, PATH points to the installation root]) > +-AC_HELP_STRING([--without-libmetalink], [disable libmetalink > detection]), > +- OPT_LIBMETALINK=$withval) > +- > +-if test X"$OPT_LIBMETALINK" != Xno; then > +- > +- addld="" > +- addlib="" > +- addcflags="" > +- version="" > +- libmetalinklib="" > +- > +- PKGTEST="no" > +- if test "x$OPT_LIBMETALINK" = "xyes"; then > +- dnl this is with no partiular path given > +- PKGTEST="yes" > +- CURL_CHECK_PKGCONFIG(libmetalink) > +- else > +- dnl When particular path is given, set PKG_CONFIG_LIBDIR using > the path. > +- LIBMETALINK_PCDIR="$OPT_LIBMETALINK/lib/pkgconfig" > +- AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to > "$LIBMETALINK_PCDIR"]) > +- if test -f "$LIBMETALINK_PCDIR/libmetalink.pc"; then > +- PKGTEST="yes" > +- fi > +- if test "$PKGTEST" = "yes"; then > +- CURL_CHECK_PKGCONFIG(libmetalink, [$LIBMETALINK_PCDIR]) > +- fi > +- fi > +- if test "$PKGTEST" = "yes" && test "$PKGCONFIG" != "no"; then > +- addlib=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl > +- $PKGCONFIG --libs-only-l libmetalink` > +- addld=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl > +- $PKGCONFIG --libs-only-L libmetalink` > +- addcflags=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl > +- $PKGCONFIG --cflags-only-I libmetalink` > +- version=`CURL_EXPORT_PCDIR([$LIBMETALINK_PCDIR]) dnl > +- $PKGCONFIG --modversion libmetalink` > +- libmetalinklib=`echo $addld | $SED -e 's/^-L//'` > +- fi > +- if test -n "$addlib"; then > +- > +- clean_CPPFLAGS="$CPPFLAGS" > +- clean_LDFLAGS="$LDFLAGS" > +- clean_LIBS="$LIBS" > +- CPPFLAGS="$clean_CPPFLAGS $addcflags" > +- LDFLAGS="$clean_LDFLAGS $addld" > +- LIBS="$addlib $clean_LIBS" > +- AC_MSG_CHECKING([if libmetalink is recent enough]) > +- AC_LINK_IFELSE([ > +- AC_LANG_PROGRAM([[ > +-# include <metalink/metalink.h> > +- ]],[[ > +- if(0 != metalink_strerror(0)) /* added in 0.1.0 */ > +- return 1; > +- ]]) > +- ],[ > +- AC_MSG_RESULT([yes ($version)]) > +- want_metalink="yes" > +- ],[ > +- AC_MSG_RESULT([no ($version)]) > +- AC_MSG_NOTICE([libmetalink library defective or too old]) > +- want_metalink="no" > +- ]) > +- if test "x$OPENSSL_ENABLED" != "x1" -a "x$USE_WINDOWS_SSPI" != > "x1" \ > +- -a "x$GNUTLS_ENABLED" != "x1" -a "x$NSS_ENABLED" != "x1" \ > +- -a "x$SECURETRANSPORT_ENABLED" != "x1"; then > +- AC_MSG_WARN([metalink support requires a compatible SSL/TLS > backend]) > +- want_metalink="no" > +- fi > +- CPPFLAGS="$clean_CPPFLAGS" > +- LDFLAGS="$clean_LDFLAGS" > +- LIBS="$clean_LIBS" > +- if test "$want_metalink" = "yes"; then > +- dnl finally libmetalink will be used > +- AC_DEFINE(USE_METALINK, 1, [Define to enable metalink > support]) > +- LIBMETALINK_LIBS=$addlib > +- LIBMETALINK_LDFLAGS=$addld > +- LIBMETALINK_CPPFLAGS=$addcflags > +- AC_SUBST([LIBMETALINK_LIBS]) > +- AC_SUBST([LIBMETALINK_LDFLAGS]) > +- AC_SUBST([LIBMETALINK_CPPFLAGS]) > +- curl_mtlnk_msg="enabled" > +- fi > +- > +- fi > +-fi > ++AC_ARG_WITH(libmetalink,, > ++ AC_MSG_ERROR([--with-libmetalink no longer works!])) > + > + dnl > ********************************************************************* > * > + dnl Check for the presence of LIBSSH2 libraries and headers > +diff --git a/src/Makefile.am b/src/Makefile.am > +index dff248f..6b7547f 100644 > +--- a/src/Makefile.am > ++++ b/src/Makefile.am > +@@ -61,18 +61,15 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ > + LIBS = $(BLANK_AT_MAKETIME) > + > + if USE_EXPLICIT_LIB_DEPS > +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ > @LIBCURL_LIBS@ > ++curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ > + else > +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ > @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ > ++curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@ > @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ > + endif > + > +-curl_LDFLAGS = @LIBMETALINK_LDFLAGS@ > +-curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS) > +- > + # if unit tests are enabled, build a static library to link them > with > + if BUILD_UNITTESTS > + noinst_LTLIBRARIES = libcurltool.la > +-libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \ > ++libcurltool_la_CPPFLAGS = $(AM_CPPFLAGS) \ > + -DCURL_STATICLIB -DUNITTESTS > + libcurltool_la_CFLAGS = > + libcurltool_la_LDFLAGS = -static $(LINKFLAGS) > +-- > +2.17.1 > + > diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes- > support/curl/curl_7.75.0.bb > index d9818b6f07..10e44f2709 100644 > --- a/meta/recipes-support/curl/curl_7.75.0.bb > +++ b/meta/recipes-support/curl/curl_7.75.0.bb > @@ -24,6 +24,7 @@ SRC_URI = > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2021-22945.patch \ > file://CVE-2021-22946.patch \ > file://CVE-2021-22947.patch \ > + file://0001-metalink-remove.patch \ > " > > SRC_URI[sha256sum] = > "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" > @@ -73,7 +74,6 @@ EXTRA_OECONF = " \ > --disable-ntlm-wb \ > --enable-crypto-auth \ > --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ > - --without-libmetalink \ > --without-libpsl \ > --enable-debug \ > --enable-optimize \ > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#157465): https://lists.openembedded.org/g/openembedded-core/message/157465 Mute This Topic: https://lists.openembedded.org/mt/86597181/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
