[24.11] curlMinimal: backport patch for CVE-2025-5399 (#413957)

2025-06-08 02:38:11 +09:00 · 2025-06-07 08:07:28 +02:00 · 2025-06-07 08:07:28 +02:00 · 433aff6f26
commit 433aff6f26
parent 5eb8d5fef2 db6ec0f717
2 changed files with 43 additions and 14 deletions
--- a/pkgs/by-name/cu/curlMinimal/fix-CVE-2025-5399.patch
+++ b/pkgs/by-name/cu/curlMinimal/fix-CVE-2025-5399.patch
@ -0,0 +1,25 @@
+From d1145df24de8f80e6b167fbc4f28b86bcd0c6832 Mon Sep 17 00:00:00 2001
+From: z2_ <88509734+z2-2z@users.noreply.github.com>
+Date: Sat, 31 May 2025 14:22:00 +0200
+Subject: [PATCH] ws: handle blocked sends better
+
+Closes #17496
+---
+ lib/ws.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/ws.c b/lib/ws.c
+index 93ec3a785ad9..61ab5019fd81 100644
+--- a/lib/ws.c
+++ b/lib/ws.c
+@@ -1384,6 +1384,10 @@ CURL_EXTERN CURLcode curl_ws_send(CURL *d, const void *buffer_arg,
+       if(n < 0 && (result != CURLE_AGAIN))
+         goto out;
+       ws->sendbuf_payload += Curl_bufq_len(&ws->sendbuf) - prev_len;
+      if(!ws->sendbuf_payload) {
+        result = CURLE_AGAIN;
+        goto out;
+      }
+     }
+ 
+     /* flush, blocking when in callback */
--- a/pkgs/by-name/cu/curlMinimal/package.nix
+++ b/pkgs/by-name/cu/curlMinimal/package.nix
@ -98,22 +98,26 @@ stdenv.mkDerivation (finalAttrs: {
    hash = "sha256-A0Hx7ZeibIEauuvTfWK4M5VnkrdgfqPxXQAWE8dt4gI=";
  };

-  patches = lib.optionals wolfsslSupport [
-    (fetchpatch {
-      # https://curl.se/docs/CVE-2025-4947.html backported to 8.13. Remove when version is bumped to 8.14.
-      # Note that this works since fetchpatch uses curl, but does not use WolfSSL.
-      name = "curl-CVE-2025-4947.patch";
-      url = "https://github.com/curl/curl/commit/a85f1df4803bbd272905c9e7125.diff";
-      hash = "sha256-zxwcboJwHjpcVciJXoCiSLrkAi0V9GtSEBf14V6cfvQ=";
+  patches =
+    [
+      ./fix-CVE-2025-5399.patch
+    ]
+    ++ lib.optionals wolfsslSupport [
+      (fetchpatch {
+        # https://curl.se/docs/CVE-2025-4947.html backported to 8.13. Remove when version is bumped to 8.14.
+        # Note that this works since fetchpatch uses curl, but does not use WolfSSL.
+        name = "curl-CVE-2025-4947.patch";
+        url = "https://github.com/curl/curl/commit/a85f1df4803bbd272905c9e7125.diff";
+        hash = "sha256-zxwcboJwHjpcVciJXoCiSLrkAi0V9GtSEBf14V6cfvQ=";

-      # All the test patches fail to apply (seemingly, they were added for 8.14)
-      includes = [ "lib/vquic/vquic-tls.c" ];
+        # All the test patches fail to apply (seemingly, they were added for 8.14)
+        includes = [ "lib/vquic/vquic-tls.c" ];

-      postFetch = ''
-        substituteInPlace $out --replace-fail "ctx->wssl.ssl" "ctx->wssl.handle"
-      '';
-    })
-  ];
+        postFetch = ''
+          substituteInPlace $out --replace-fail "ctx->wssl.ssl" "ctx->wssl.handle"
+        '';
+      })
+    ];

  # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion
  # necessary for FreeBSD code path in configure