Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libcurl: add version 8.4.0 (fix CVE-2023-38545) #19769

Merged
merged 8 commits into from
Nov 13, 2023
Merged

libcurl: add version 8.4.0 (fix CVE-2023-38545) #19769

merged 8 commits into from
Nov 13, 2023

Conversation

toge
Copy link
Contributor

@toge toge commented Sep 13, 2023

Specify library name and version: libcurl/*

@github-actions
Copy link
Contributor

🤖 Beep Boop! This pull request is making changes to 'recipes/libcurl//'.

👋 @Hopobcn you might be interested. 😉

@prince-chrismc prince-chrismc mentioned this pull request Sep 13, 2023
Open
@conan-center-bot

This comment has been minimized.

Sign in to view
@conan-center-bot

This comment has been minimized.

Sign in to view
AbrilRBS
AbrilRBS reviewed Sep 15, 2023
View reviewed changes
Copy link
Member

@AbrilRBS AbrilRBS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to ask for context on the linked issue and ask where things are regarding it before approving, thanks for brining it to my attention :)

@AbrilRBS AbrilRBS self-assigned this Sep 15, 2023
@ghost ghost mentioned this pull request Sep 15, 2023
Closed
@ghost
Copy link

ghost commented Sep 15, 2023
edited by ghost
Loading

I detected other pull requests that are modifying libcurl/all recipe:

This message is automatically generated by https://github.com/ericLemanissier/conan-center-conflicting-prs so don't hesitate to report issues/improvements there.

@ghost ghost mentioned this pull request Sep 15, 2023
Merged
3 tasks
@toge
Copy link
Contributor Author

toge commented Sep 15, 2023

@RubenRBS
I think following errors are caused by that conan's issue.

CMake Error at C:/J2/w/prod-v1/bsr/7946/bbabb/.conan/data/libcurl/8.3.0/_/_/build/fa3bb3edaa54f36a50cf6abdc608eebc812e703c/build/CMakeFiles/CMakeTmp/CMakeLists.txt:22 (add_executable):
  Target "cmTC_01e0c" links to target
  "CONAN_LIB::openssl_OpenSSL_SSL_libssl_RELEASE" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?


CMake Error at C:/J2/w/prod-v1/bsr/7946/bbabb/.conan/data/libcurl/8.3.0/_/_/build/fa3bb3edaa54f36a50cf6abdc608eebc812e703c/build/CMakeFiles/CMakeTmp/CMakeLists.txt:22 (add_executable):
  Target "cmTC_01e0c" links to target
  "CONAN_LIB::openssl_OpenSSL_Crypto_libcrypto_RELEASE" but the target was
  not found.  Perhaps a find_package() call is missing for an IMPORTED
  target, or an ALIAS target is missing?


CMake Error at C:/J2/w/prod-v1/bsr/7946/bbabb/.conan/data/libcurl/8.3.0/_/_/build/fa3bb3edaa54f36a50cf6abdc608eebc812e703c/build/CMakeFiles/CMakeTmp/CMakeLists.txt:22 (add_executable):
  Target "cmTC_01e0c" links to target "CONAN_LIB::zlib_zlib_RELEASE" but the
  target was not found.  Perhaps a find_package() call is missing for an
  IMPORTED target, or an ALIAS target is missing?

https://c3i.jfrog.io/c3i/misc/logs/pr/19769/1-windows-visual_studio/libcurl/8.3.0//fa3bb3edaa54f36a50cf6abdc608eebc812e703c-build.txt

@valgur
Copy link
Contributor

valgur commented Sep 16, 2023

@RubenRBS
I think following errors are caused by that conan's issue.

CMake Error at C:/J2/w/prod-v1/bsr/7946/bbabb/.conan/data/libcurl/8.3.0/_/_/build/fa3bb3edaa54f36a50cf6abdc608eebc812e703c/build/CMakeFiles/CMakeTmp/CMakeLists.txt:22 (add_executable):
  Target "cmTC_01e0c" links to target
  "CONAN_LIB::openssl_OpenSSL_SSL_libssl_RELEASE" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?


CMake Error at C:/J2/w/prod-v1/bsr/7946/bbabb/.conan/data/libcurl/8.3.0/_/_/build/fa3bb3edaa54f36a50cf6abdc608eebc812e703c/build/CMakeFiles/CMakeTmp/CMakeLists.txt:22 (add_executable):
  Target "cmTC_01e0c" links to target
  "CONAN_LIB::openssl_OpenSSL_Crypto_libcrypto_RELEASE" but the target was
  not found.  Perhaps a find_package() call is missing for an IMPORTED
  target, or an ALIAS target is missing?


CMake Error at C:/J2/w/prod-v1/bsr/7946/bbabb/.conan/data/libcurl/8.3.0/_/_/build/fa3bb3edaa54f36a50cf6abdc608eebc812e703c/build/CMakeFiles/CMakeTmp/CMakeLists.txt:22 (add_executable):
  Target "cmTC_01e0c" links to target "CONAN_LIB::zlib_zlib_RELEASE" but the
  target was not found.  Perhaps a find_package() call is missing for an
  IMPORTED target, or an ALIAS target is missing?

https://c3i.jfrog.io/c3i/misc/logs/pr/19769/1-windows-visual_studio/libcurl/8.3.0//fa3bb3edaa54f36a50cf6abdc608eebc812e703c-build.txt

Huh, that's interesting. I'm getting that same error for libjpeg with MSVC in #19298. I wonder if it's related in any way.

@ghost ghost mentioned this pull request Sep 26, 2023
Merged
3 tasks
@AbrilRBS
Copy link
Member

AbrilRBS commented Oct 3, 2023

@toge sorry for the late response, didn't see this ping until now

Where does the error come from? A previous build? the current logs seem all to be passing

@toge
Copy link
Contributor Author

toge commented Oct 4, 2023

@RubenRBS
Above message is occured in https://c3i.jfrog.io/c3i/misc/logs/pr/19769/1-windows-visual_studio/libcurl/8.3.0//fa3bb3edaa54f36a50cf6abdc608eebc812e703c-build.txt.

To avoid it, I add small patch to dissable HAVE_SSL_SET0_WBIO.
a2b431a

@ghost ghost mentioned this pull request Oct 5, 2023
Closed
12 tasks
@toge toge changed the title libcurl: add version 8.3.0 libcurl: add version 8.4.0 Oct 11, 2023
@toge toge changed the title libcurl: add version 8.4.0 libcurl: add version 8.4.0 (fix CVE-2023-38545) Oct 11, 2023
@jwatson0 jwatson0 mentioned this pull request Oct 12, 2023
Closed
@dietssa
Copy link
Contributor

dietssa commented Oct 13, 2023
edited
Loading

I noticed that build fails locally for me with the following configuration (buildbot cancelled execution before attempting them):
libcurl/8.4.0@ Windows, Visual Studio, Debug+Release, shared=True

The error message is:

libcurl/8.4.0@dietssa/develop (test package): Calling build()
[...]
LINK : fatal error LNK1104: cannot open file 'libcurl_imp.lib' [C:\work\git\libcurl\testbuild\test_package.vcxproj]

There is actually no .lib-file in the build folder at all.

In contrast to that, I tested the libcurl upstream cmake build for 8.4.0 as described in https://github.com/curl/curl/blob/master/docs/INSTALL.cmake and it builds the .lib-file as expected.

Diffing the full linker command line in the conan recipe build vs. upstream build showed that the linker option /DEF that is missing in case of conan recipe build. /DEF is used to pass a .def-file with EXPORTS statements, which triggers the linker to create the import library.

I suspect this is related to the following change in libcurl release 8.4.0: curl/curl#11914

In the conan recipe, we prevent this from working correctly due to a patch that removes the "CurlSymbolHiding"-logic from the upstream CMakeLists.txt:
https://github.com/conan-io/conan-center-index/blob/master/recipes/libcurl/all/conanfile.py#L332-L334

Suggested fix: Remove this patch in conanfile.py. Its marked as "suspicious" anyway ;-)
Tested locally with Windows, Visual Studio and Linux, GCC.

@toge
Copy link
Contributor Author

toge commented Oct 15, 2023

@dietssa
Thank you for your detail investigation!
The CurlSymbolHiding is now enabled only for 8.4 to minimize the impact.
If it is not adequate, please tell me again.

@conan-center-bot

This comment has been minimized.

Sign in to view
@Cogitri
Copy link
Contributor

Cogitri commented Oct 16, 2023

FWIW, I also had to set HAVE_OPENSSL_SRP and HAVE_SSL_CTX_SET_QUIC_METHOD for my windows build to work.

@ghost ghost mentioned this pull request Oct 18, 2023
Merged
3 tasks
@copperlight copperlight mentioned this pull request Oct 18, 2023
Closed
@leha-bot
Copy link
Contributor

leha-bot commented Nov 7, 2023

This PR will close #20529.

@NiuBlibing
Copy link

@toge @RubenRBS Hi, is this pr ready to merge?

@conan-center-bot
Copy link
Collaborator

Conan v1 pipeline ✔️

All green in build 9 (23d17e6caa687ffe4307322e64152c44088960ed):

  • libcurl/8.2.0:
    All packages built successfully! (All logs)

  • libcurl/8.2.1:
    All packages built successfully! (All logs)

  • libcurl/8.4.0:
    All packages built successfully! (All logs)

  • libcurl/8.1.2:
    All packages built successfully! (All logs)

  • libcurl/7.83.1:
    All packages built successfully! (All logs)

  • libcurl/7.79.1:
    All packages built successfully! (All logs)

  • libcurl/8.0.1:
    All packages built successfully! (All logs)

  • libcurl/7.80.0:
    All packages built successfully! (All logs)

  • libcurl/7.84.0:
    All packages built successfully! (All logs)

  • libcurl/8.1.1:
    All packages built successfully! (All logs)

  • libcurl/7.82.0:
    All packages built successfully! (All logs)

  • libcurl/7.88.1:
    All packages built successfully! (All logs)

  • libcurl/7.87.0:
    All packages built successfully! (All logs)

  • libcurl/7.78.0:
    All packages built successfully! (All logs)

  • libcurl/7.86.0:
    All packages built successfully! (All logs)

  • libcurl/7.85.0:
    All packages built successfully! (All logs)

Conan v2 pipeline ✔️

Note: Conan v2 builds are now mandatory. Please read our discussion about it.

All green in build 9 (23d17e6caa687ffe4307322e64152c44088960ed):

  • libcurl/8.4.0:
    All packages built successfully! (All logs)

  • libcurl/8.2.1:
    All packages built successfully! (All logs)

  • libcurl/8.1.1:
    All packages built successfully! (All logs)

  • libcurl/7.88.1:
    All packages built successfully! (All logs)

  • libcurl/8.2.0:
    All packages built successfully! (All logs)

  • libcurl/7.86.0:
    All packages built successfully! (All logs)

  • libcurl/8.1.2:
    All packages built successfully! (All logs)

  • libcurl/7.82.0:
    All packages built successfully! (All logs)

  • libcurl/7.78.0:
    All packages built successfully! (All logs)

  • libcurl/7.80.0:
    All packages built successfully! (All logs)

  • libcurl/7.83.1:
    All packages built successfully! (All logs)

  • libcurl/7.79.1:
    All packages built successfully! (All logs)

  • libcurl/7.84.0:
    All packages built successfully! (All logs)

  • libcurl/8.0.1:
    All packages built successfully! (All logs)

  • libcurl/7.85.0:
    All packages built successfully! (All logs)

  • libcurl/7.87.0:
    All packages built successfully! (All logs)

uilianries
uilianries approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@uilianries uilianries left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked the build log https://c3i.jfrog.io/c3i/misc/logs/pr/19769/7-linux-gcc/libcurl/8.4.0//f13ed95cd7c05bdadafca9cb0e33c7e261bae784-build.txt and it looks okay according these new changes.

@uilianries uilianries self-assigned this Nov 13, 2023
@conan-center-bot conan-center-bot merged commit 5a5eae0 into conan-io:master Nov 13, 2023
SpaceIm
SpaceIm reviewed Nov 13, 2023
View reviewed changes
recipes/libcurl/all/conanfile.py
@@ -303,7 +303,7 @@ def _patch_autotools(self):
"AC_CHECK_LIB(z,",
f"AC_CHECK_LIB({zlib_name},")
replace_in_file(self, configure_ac,
"-lz ",
"-lz",
Copy link
Contributor

@SpaceIm SpaceIm Nov 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change may break with_zstd=True: https://github.com/curl/curl/blob/curl-8_4_0/configure.ac#L1512. There was a good reason for this extra space in pattern.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an upstream proposal to add the configure script option?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SpaceIm SpaceIm SpaceIm left review comments

@AbrilRBS AbrilRBS AbrilRBS left review comments

@johan-boule johan-boule johan-boule left review comments

@jwillikers jwillikers jwillikers approved these changes

@uilianries uilianries uilianries approved these changes

Assignees

@uilianries uilianries

@AbrilRBS AbrilRBS

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.