Skip to content

[25.05] curlFull: fix CVE-2025-10148 patch#444299

Merged
vcunat merged 1 commit intoNixOS:staging-25.05from
LeSuisse:curl-fix-CVE-2025-10148
Sep 24, 2025
Merged

[25.05] curlFull: fix CVE-2025-10148 patch#444299
vcunat merged 1 commit intoNixOS:staging-25.05from
LeSuisse:curl-fix-CVE-2025-10148

Conversation

@LeSuisse
Copy link
Member

@LeSuisse LeSuisse commented Sep 19, 2025

Upstream patch needs a bit of adjustment to build on top of curl 8.14.1.

Follow up to #441889

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

github-actions[bot]
github-actions bot requested changes Sep 19, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

Please follow the backporting guidelines and cherry-pick with the -x flag.
This requires changes to the unstable master and staging branches first, before backporting them.

Occasionally, commits are not cherry-picked at all, for example when updating minor versions of packages which have already advanced to the next major on unstable.
These commits can optionally be marked with a Not-cherry-picked-because: <reason> footer.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Warning

Couldn't locate original commit hash in message of d3f1981.

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

@LeSuisse LeSuisse mentioned this pull request Sep 19, 2025
Merged
13 tasks
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 4.workflow: backport This targets a stable branch 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Sep 19, 2025
@vcunat
Copy link
Member

vcunat commented Sep 19, 2025

Nit: this needs to target staging-next-25.05.

@vcunat
Copy link
Member

vcunat commented Sep 19, 2025

Ah, though we don't want such a huge rebuild at this stage when all binaries are ready. So maybe some hack on that branch and keep this PR as it is.

vcunat added a commit that referenced this pull request Sep 19, 2025
@vcunat
curlFull: fixup build temporarily
ea70177 
The -fixed patch is taken from
#444299
@LeSuisse
Copy link
Member Author

LeSuisse commented Sep 19, 2025

Thanks for dealing with the workaround <3 and sorry that I did not catch it earlier

@LeSuisse
curlFull: fix CVE-2025-10148 patch
d3f1981 
Upstream patch needs a bit of adjustment to build on top of
curl 8.14.1.
@LeSuisse LeSuisse force-pushed the curl-fix-CVE-2025-10148 branch from ed0141f to d3f1981 Compare September 22, 2025 10:46
@nix-owners nix-owners bot requested review from Scrumplex and lovek323 September 22, 2025 10:52
@nixpkgs-ci nixpkgs-ci bot removed the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Sep 22, 2025
Scrumplex
Scrumplex approved these changes Sep 23, 2025
View reviewed changes
Copy link
Member

@Scrumplex Scrumplex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM. Have not tried to build it yet

@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. labels Sep 23, 2025
@vcunat vcunat merged commit 2c65c84 into NixOS:staging-25.05 Sep 24, 2025
31 of 33 checks passed
@vcunat
Copy link
Member

vcunat commented Sep 24, 2025

This doesn't change curlFull build anymore; we got that in nixos-25.05 already (conditionally, via ea70177). And for other curl variants the affected part of code isn't compiled, which is why it passed.

@LeSuisse LeSuisse deleted the curl-fix-CVE-2025-10148 branch September 25, 2025 07:54
aaron-nall pushed a commit to aaron-nall/nixpkgs that referenced this pull request Sep 25, 2025
@vcunat @aaron-nall
curlFull: fixup build temporarily
78772f2 
The -fixed patch is taken from
NixOS#444299
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] requested changes

@Scrumplex Scrumplex Scrumplex approved these changes

@lovek323 lovek323 Awaiting requested review from lovek323

Assignees

No one assigned

Labels

4.workflow: backport This targets a stable branch 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LeSuisse @vcunat @Scrumplex