Skip to content

civetweb: 1.15 -> 1.16, apply patch for CVE-2025-55763#446986

Merged
misuzu merged 3 commits intoNixOS:masterfrom
LeSuisse:civetweb-1.16-CVE-2025-55763
Oct 6, 2025
Merged

civetweb: 1.15 -> 1.16, apply patch for CVE-2025-55763#446986
misuzu merged 3 commits intoNixOS:masterfrom
LeSuisse:civetweb-1.16-CVE-2025-55763

Conversation

@LeSuisse
Copy link
Member

@LeSuisse LeSuisse commented Sep 28, 2025
edited
Loading

Changes:
https://github.com/civetweb/civetweb/releases/tag/v1.16

A public POC exists for CVE-2025-55763:
https://github.com/krispybyte/CVE-2025-55763

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 446986
Commit: bc72d702c630881bf5f4763902605352514acd2e

x86_64-linux

✅ 20 packages built:
  • civetweb
  • civetweb.dev
  • hydra
  • hydra.doc
  • luanti
  • luanti-server
  • orthanc
  • orthanc-framework
  • orthanc-plugin-dicomweb
  • orthanc.dev
  • orthanc.doc
  • prometheus-cpp
  • prometheus-cpp.dev
  • proxysql
  • python312Packages.zeek (python312Packages.zeek.py)
  • python313Packages.zeek (python313Packages.zeek.py)
  • saunafs
  • saunafs.dev
  • saunafs.man
  • zeek

Add a 👍 reaction to pull requests you find important.

@LeSuisse LeSuisse added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-25.05 labels Sep 28, 2025
@LeSuisse LeSuisse force-pushed the civetweb-1.16-CVE-2025-55763 branch from 95a0ab5 to bc72d70 Compare September 28, 2025 20:00
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Sep 28, 2025
@misuzu
Copy link
Contributor

misuzu commented Oct 5, 2025

Doesn't build on top of master:

% nix-build --no-out-link . -A pkgs.civetweb
this derivation will be built:
  /nix/store/bag3nr8fbgl1ryddk5rs95x2mr9036a1-civetweb-1.16.drv
building '/nix/store/bag3nr8fbgl1ryddk5rs95x2mr9036a1-civetweb-1.16.drv'...
Running phase: unpackPhase
unpacking source archive /nix/store/39445dw643ifxsysz0p1690dckaip4i8-source
source root is source
Running phase: patchPhase
applying patch /nix/store/3b7lw3rm649777bk3izm6raqp2awhixi-fix-pkg-config-files.patch
patching file cmake/civetweb-cpp.pc.in
patching file cmake/civetweb.pc.in
applying patch /nix/store/ba8wks11nfsrcn75k1cjr07qp4pg10zj-CVE-2025-55763.patch
patching file src/civetweb.c
Hunk #1 succeeded at 15242 (offset -337 lines).
Hunk #2 succeeded at 15254 (offset -337 lines).
Running phase: updateAutotoolsGnuConfigScriptsPhase
Running phase: configurePhase
cmake flags: -DCMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY=OFF -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF -DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DCMAKE_INSTALL_LOCALEDIR=/nix/st
ore/6mj13f8dxrc9mn5hcdi5qjwnh7ins55l-civetweb-1.16/share/locale -DCMAKE_INSTALL_LIBEXECDIR=/nix/store/6mj13f8dxrc9mn5hcdi5qjwnh7ins55l-civetweb-1.16/libexec -DCMAKE_INSTALL_LIBDIR=/nix/store/6mj13f8dxrc9mn5hcdi5qjw
nh7ins55l-civetweb-1.16/lib -DCMAKE_INSTALL_DOCDIR=/nix/store/6mj13f8dxrc9mn5hcdi5qjwnh7ins55l-civetweb-1.16/share/doc/civetweb -DCMAKE_INSTALL_INFODIR=/nix/store/6mj13f8dxrc9mn5hcdi5qjwnh7ins55l-civetweb-1.16/shar
e/info -DCMAKE_INSTALL_MANDIR=/nix/store/6mj13f8dxrc9mn5hcdi5qjwnh7ins55l-civetweb-1.16/share/man -DCMAKE_INSTALL_INCLUDEDIR=/nix/store/js8ndyjkfzqd6n3rqn5iz3gvhclkskgy-civetweb-1.16-dev/include -DCMAKE_INSTALL_SBI
NDIR=/nix/store/6mj13f8dxrc9mn5hcdi5qjwnh7ins55l-civetweb-1.16/sbin -DCMAKE_INSTALL_BINDIR=/nix/store/6mj13f8dxrc9mn5hcdi5qjwnh7ins55l-civetweb-1.16/bin -DCMAKE_INSTALL_NAME_DIR=/nix/store/6mj13f8dxrc9mn5hcdi5qjwnh
7ins55l-civetweb-1.16/lib -DCMAKE_POLICY_DEFAULT_CMP0025=NEW -DCMAKE_FIND_FRAMEWORK=LAST -DCMAKE_STRIP=/nix/store/dmypp1h4ldn0vfk3fi6yfyf5yxp9yz0k-gcc-wrapper-14.3.0/bin/strip -DCMAKE_RANLIB=/nix/store/dmypp1h4ldn0
vfk3fi6yfyf5yxp9yz0k-gcc-wrapper-14.3.0/bin/ranlib -DCMAKE_AR=/nix/store/dmypp1h4ldn0vfk3fi6yfyf5yxp9yz0k-gcc-wrapper-14.3.0/bin/ar -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++ -DCMAKE_INSTALL_PREFIX=/nix/store/
6mj13f8dxrc9mn5hcdi5qjwnh7ins55l-civetweb-1.16 -DBUILD_SHARED_LIBS=ON -DCIVETWEB_ENABLE_CXX=ON -DCIVETWEB_ENABLE_IPV6=ON -DCIVETWEB_BUILD_TESTING=OFF -DCIVETWEB_THREAD_STACK_SIZE=0
CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
  Compatibility with CMake < 3.5 has been removed from CMake.

  Update the VERSION argument <min> value.  Or, use the <min>...<max> syntax
  to tell CMake that the project requires at least <min> but has been updated
  to work with policies introduced by <max> or earlier.

  Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.


-- Configuring incomplete, errors occurred!

@LeSuisse LeSuisse force-pushed the civetweb-1.16-CVE-2025-55763 branch from bc72d70 to 1b9d858 Compare October 5, 2025 17:06
@LeSuisse LeSuisse force-pushed the civetweb-1.16-CVE-2025-55763 branch from 1b9d858 to f9284ce Compare October 5, 2025 17:08
@misuzu
Copy link
Contributor

misuzu commented Oct 6, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 446986
Commit: f9284ceeeb49836e1d5f1198cd89018283f724c0

x86_64-linux

❌ 2 packages failed to build:
  • orthanc-plugin-dicomweb
  • proxysql
✅ 18 packages built:
  • civetweb
  • civetweb.dev
  • hydra
  • hydra.doc
  • luanti
  • luanti-server
  • orthanc
  • orthanc-framework
  • orthanc.dev
  • orthanc.doc
  • prometheus-cpp
  • prometheus-cpp.dev
  • python312Packages.zeek (python312Packages.zeek.py)
  • python313Packages.zeek (python313Packages.zeek.py)
  • saunafs
  • saunafs.dev
  • saunafs.man
  • zeek

aarch64-linux

❌ 2 packages failed to build:
  • orthanc-plugin-dicomweb
  • proxysql
✅ 18 packages built:
  • civetweb
  • civetweb.dev
  • hydra
  • hydra.doc
  • luanti
  • luanti-server
  • orthanc
  • orthanc-framework
  • orthanc.dev
  • orthanc.doc
  • prometheus-cpp
  • prometheus-cpp.dev
  • python312Packages.zeek (python312Packages.zeek.py)
  • python313Packages.zeek (python313Packages.zeek.py)
  • saunafs
  • saunafs.dev
  • saunafs.man
  • zeek
Error logs: `x86_64-linux`
orthanc-plugin-dicomweb 
unpacking source archive /nix/store/g1lx38a3jzagpb0gmdhafr3p115mnmdg-hg-archive
source root is hg-archive
Running phase: patchPhase
@nix { "action": "setPhase", "phase": "patchPhase" }
Running phase: updateAutotoolsGnuConfigScriptsPhase
@nix { "action": "setPhase", "phase": "updateAutotoolsGnuConfigScriptsPhase" }
Running phase: configurePhase
@nix { "action": "setPhase", "phase": "configurePhase" }
cmake flags: -DCMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY=OFF -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF -DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DCMAKE_INSTALL_LOCALEDIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/share/locale -DCMAKE_INSTALL_LIBEXECDIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/libexec -DCMAKE_INSTALL_LIBDIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/lib -DCMAKE_INSTALL_DOCDIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/share/doc/OrthancDicomWeb -DCMAKE_INSTALL_INFODIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/share/info -DCMAKE_INSTALL_MANDIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/share/man -DCMAKE_INSTALL_INCLUDEDIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/include -DCMAKE_INSTALL_SBINDIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/sbin -DCMAKE_INSTALL_BINDIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/bin -DCMAKE_INSTALL_NAME_DIR=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20/lib -DCMAKE_POLICY_DEFAULT_CMP0025=NEW -DCMAKE_FIND_FRAMEWORK=LAST -DCMAKE_STRIP=/nix/store/dmypp1h4ldn0vfk3fi6yfyf5yxp9yz0k-gcc-wrapper-14.3.0/bin/strip -DCMAKE_RANLIB=/nix/store/dmypp1h4ldn0vfk3fi6yfyf5yxp9yz0k-gcc-wrapper-14.3.0/bin/ranlib -DCMAKE_AR=/nix/store/dmypp1h4ldn0vfk3fi6yfyf5yxp9yz0k-gcc-wrapper-14.3.0/bin/ar -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++ -DCMAKE_INSTALL_PREFIX=/nix/store/zkgqmy49jjigc3hmibw6z827snsc15va-orthanc-plugin-dicomweb-1.20 -DCMAKE_BUILD_TYPE=Release -DSTATIC_BUILD=OFF -DORTHANC_FRAMEWORK_SOURCE=system -DORTHANC_FRAMEWORK_ROOT=/nix/store/wvvgz485dk8xsrnyqy484ll8nwn8cg2q-orthanc-framework-1.12.9/include/orthanc-framework
CMake Error at CMakeLists.txt:22 (cmake_minimum_required):
  Compatibility with CMake < 3.5 has been removed from CMake.

Update the VERSION argument <min> value.  Or, use the <min>...<max> syntax

to tell CMake that the project requires at least <min> but has been updated

to work with policies introduced by <max> or earlier.


Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.


-- Configuring incomplete, errors occurred!

proxysql 
  CC       ../lib/curlx/libcurltool_la-timediff.lo
  CC       ../lib/curlx/libcurltool_la-timeval.lo
  CC       ../lib/curlx/libcurltool_la-version_win32.lo
  CC       ../lib/curlx/libcurltool_la-wait.lo
  CC       ../lib/curlx/libcurltool_la-warnless.lo
  CC       curl-tool_ca_embed.o
  CCLD     curlinfo
  CCLD     curl
  CCLD     libcurltool.la
make[3]: Leaving directory '/build/source/deps/curl/curl-8.16.0/src'
Making all in scripts
make[3]: Entering directory '/build/source/deps/curl/curl-8.16.0/scripts'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/build/source/deps/curl/curl-8.16.0/scripts'
make[3]: Entering directory '/build/source/deps/curl/curl-8.16.0'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/build/source/deps/curl/curl-8.16.0'
make[2]: Leaving directory '/build/source/deps/curl/curl-8.16.0'
make[1]: Leaving directory '/build/source/deps'
make: *** [Makefile:269: build_deps_default] Error 2
Error logs: `aarch64-linux`
orthanc-plugin-dicomweb 
Running phase: unpackPhase
unpacking source archive /nix/store/g1lx38a3jzagpb0gmdhafr3p115mnmdg-hg-archive
source root is hg-archive
Running phase: patchPhase
Running phase: updateAutotoolsGnuConfigScriptsPhase
Running phase: configurePhase
cmake flags: -DCMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY=OFF -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF -DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DCMAKE_INSTALL_LOCALEDIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/share/locale -DCMAKE_INSTALL_LIBEXECDIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/libexec -DCMAKE_INSTALL_LIBDIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/lib -DCMAKE_INSTALL_DOCDIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/share/doc/OrthancDicomWeb -DCMAKE_INSTALL_INFODIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/share/info -DCMAKE_INSTALL_MANDIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/share/man -DCMAKE_INSTALL_INCLUDEDIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/include -DCMAKE_INSTALL_SBINDIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/sbin -DCMAKE_INSTALL_BINDIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/bin -DCMAKE_INSTALL_NAME_DIR=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20/lib -DCMAKE_POLICY_DEFAULT_CMP0025=NEW -DCMAKE_FIND_FRAMEWORK=LAST -DCMAKE_STRIP=/nix/store/frxwlync78r3l94863r2cbnz7ngy273j-gcc-wrapper-14.3.0/bin/strip -DCMAKE_RANLIB=/nix/store/frxwlync78r3l94863r2cbnz7ngy273j-gcc-wrapper-14.3.0/bin/ranlib -DCMAKE_AR=/nix/store/frxwlync78r3l94863r2cbnz7ngy273j-gcc-wrapper-14.3.0/bin/ar -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++ -DCMAKE_INSTALL_PREFIX=/nix/store/p0wkwi233isc7m57827mkhr68kr4pmlh-orthanc-plugin-dicomweb-1.20 -DCMAKE_BUILD_TYPE=Release -DSTATIC_BUILD=OFF -DORTHANC_FRAMEWORK_SOURCE=system -DORTHANC_FRAMEWORK_ROOT=/nix/store/9hdi1n636lqxpga2sphnqgb7lqnm2abs-orthanc-framework-1.12.9/include/orthanc-framework
CMake Error at CMakeLists.txt:22 (cmake_minimum_required):
  Compatibility with CMake < 3.5 has been removed from CMake.

Update the VERSION argument <min> value.  Or, use the <min>...<max> syntax

to tell CMake that the project requires at least <min> but has been updated

to work with policies introduced by <max> or earlier.


Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.


-- Configuring incomplete, errors occurred!

proxysql 
  CC       ../lib/curlx/libcurltool_la-timediff.lo
  CC       ../lib/curlx/libcurltool_la-timeval.lo
  CC       ../lib/curlx/libcurltool_la-version_win32.lo
  CC       ../lib/curlx/libcurltool_la-wait.lo
  CC       ../lib/curlx/libcurltool_la-warnless.lo
  CC       curl-tool_ca_embed.o
  CCLD     curlinfo
  CCLD     curl
  CCLD     libcurltool.la
make[3]: Leaving directory '/build/source/deps/curl/curl-8.16.0/src'
Making all in scripts
make[3]: Entering directory '/build/source/deps/curl/curl-8.16.0/scripts'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/build/source/deps/curl/curl-8.16.0/scripts'
make[3]: Entering directory '/build/source/deps/curl/curl-8.16.0'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/build/source/deps/curl/curl-8.16.0'
make[2]: Leaving directory '/build/source/deps/curl/curl-8.16.0'
make[1]: Leaving directory '/build/source/deps'
make: *** [Makefile:269: build_deps_default] Error 2

@misuzu
Copy link
Contributor

misuzu commented Oct 6, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 446986
Commit: f9284ceeeb49836e1d5f1198cd89018283f724c0

aarch64-darwin

✅ 9 packages built:
  • civetweb
  • civetweb.dev
  • luanti
  • luanti-server
  • prometheus-cpp
  • prometheus-cpp.dev
  • python312Packages.zeek (python312Packages.zeek.py)
  • python313Packages.zeek (python313Packages.zeek.py)
  • zeek

@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. and removed 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Oct 6, 2025
@misuzu misuzu added this pull request to the merge queue Oct 6, 2025
Merged via the queue into NixOS:master with commit 54fa5a9 Oct 6, 2025
30 of 32 checks passed
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Oct 6, 2025

Backport failed for release-25.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-25.05
git worktree add -d .worktree/backport-446986-to-release-25.05 origin/release-25.05
cd .worktree/backport-446986-to-release-25.05
git switch --create backport-446986-to-release-25.05
git cherry-pick -x c6865071169c19978760626e936f12f9c8bf40f3 37bb134c12d92d1e7139c42dccdbd450ba8da11e f9284ceeeb49836e1d5f1198cd89018283f724c0

@LeSuisse LeSuisse deleted the civetweb-1.16-CVE-2025-55763 branch October 6, 2025 12:42
@LeSuisse LeSuisse mentioned this pull request Oct 6, 2025
Merged
13 tasks
@mdaniels5757 mdaniels5757 added the 8.has: port to stable This PR already has a backport to the stable release. label Oct 8, 2025
@Sigmanificient Sigmanificient mentioned this pull request Oct 12, 2025
Open
@iedame iedame mentioned this pull request Oct 24, 2025
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@misuzu misuzu misuzu approved these changes

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LeSuisse @misuzu @mdaniels5757