Adopting Curl 7.88.1 ahead of the official branch of the FreeBSD ports collection

0

pkg audit has flagged Curl 7.87.0_1 as vulnerable for a week or so.

# pkg audit -Fr
vulnxml file up-to-date
curl-7.87.0_1 is vulnerable:
  curl -- multiple vulnerabilities
  CVE: CVE-2023-23916
  CVE: CVE-2023-23915
  CVE: CVE-2023-23914
  WWW: https://vuxml.FreeBSD.org/freebsd/be233fc6-bae7-11ed-a4fb-080027f5fec9.html

  Packages that depend on curl: git, localbase

1 problem(s) in 1 installed package(s) found.

There is a PR for the latest version, 7.88.1. See PR269967. Combining the available patches from the PR yields:

ftp/curl: Adopt Curl 7.88.1 ahead of the official branch.

diff --git a/ftp/curl/Makefile b/ftp/curl/Makefile
index 818a353e6736..a67deb9a7533 100644
--- a/ftp/curl/Makefile
+++ b/ftp/curl/Makefile
@@ -1,6 +1,5 @@
 PORTNAME=	curl
-PORTVERSION=	7.87.0
-PORTREVISION=	1
+PORTVERSION=	7.88.1
 CATEGORIES=	ftp net www
 MASTER_SITES=	https://curl.se/download/ \
 		https://github.com/curl/curl/releases/download/curl-${PORTVERSION:S|.|_|g}/
diff --git a/ftp/curl/distinfo b/ftp/curl/distinfo
index 61e8e2c357bb..712f70ff8ae1 100644
--- a/ftp/curl/distinfo
+++ b/ftp/curl/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1671874820
-SHA256 (curl-7.87.0.tar.xz) = ee5f1a1955b0ed413435ef79db28b834ea5f0fb7c8cfb1ce47175cc3bee08fff
-SIZE (curl-7.87.0.tar.xz) = 2547932
+TIMESTAMP = 1678721412
+SHA256 (curl-7.88.1.tar.xz) = 1dae31b2a7c1fe269de99c0c31bb488346aab3459b5ffca909d6938249ae415f
+SIZE (curl-7.88.1.tar.xz) = 2581032
diff --git a/ftp/curl/files/patch-lib-url.c b/ftp/curl/files/patch-lib-url.c
index 40e5742e2d8c..f7591a75caca 100644
--- a/ftp/curl/files/patch-lib-url.c
+++ b/ftp/curl/files/patch-lib-url.c
@@ -3,16 +3,16 @@ Forwarded: not-needed
 Author: Peter Pentchev <roam@FreeBSD.org>
 Last-Update: 2010-12-18
 
---- lib/url.c.orig	2021-07-20 21:07:48 UTC
-+++ lib/url.c
-@@ -630,6 +630,10 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
-     CURL_HTTP_VERSION_1_1
+--- lib/url.c.orig	2023-03-10 11:30:54.165359000 -0500
++++ lib/url.c	2023-03-10 11:33:13.426917000 -0500
+@@ -643,6 +643,10 @@
+   set->httpwant = CURL_HTTP_VERSION_1_1
  #endif
      ;
 +#if defined(__FreeBSD_version)
 +  /* different handling of signals and threads */
 +  set->no_signal = TRUE;
 +#endif
-   Curl_http2_init_userset(set);
-   return result;
- }
+ #if defined(USE_HTTP2) || defined(USE_HTTP3)
+   memset(&set->priority, 0, sizeof(set->priority));
+ #endif
diff --git a/ftp/curl/pkg-plist b/ftp/curl/pkg-plist
index 386b00cf12e4..174b1b7b587a 100644
--- a/ftp/curl/pkg-plist
+++ b/ftp/curl/pkg-plist
@@ -566,7 +566,6 @@ share/aclocal/libcurl.m4
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/chkspeed.c
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/cookie_interface.c
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/crawler.c
-%%PORTEXAMPLES%%%%EXAMPLESDIR%%/curlgtk.c
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/debug.c
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/ephiperfifo.c
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/evhiperfifo.c

I ran the make makesum command myself, hence the difference in timestamps from the original patch. Size and hash are identical.

Save the patch as, say /tmp/ftp_curl_7.88.1.diff, and run git -C /usr/ports apply /tmp/ftp_curl_7.88.1.diff. If you maintain your own local branch, you may want to commit these changes to that branch, say git -C /usr/ports add ftp/curl; git -C /usr/ports commit -m 'ftp/curl: Adopt Curl 7.88.1 ahead of the official branch.'. Rebuild your packages using Poudriere, Synth or Portmaster, and update your system(s).

The combined patch is readily available for downloading if that’s more convenient.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>