10月11日发布的 curl 8.4.0版本,在新版本中修复漏洞 CVE-2023-38545CVE-2023-38546

  • CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. [1]
  • CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. [2]

安装方式有两种,“编译” 与 “更新RPM”,本文以 RPM 方式更新 curl 到 8.4.0 版本

下载curl源码包

升级至少需要更新至 curl 8.4 ,首先从官网下载源码包 [3]

将curl打包为rpm

因为 curl 源码包内没有提供 rpm 的规格文件,所以我们需要自己编写,但是比较麻烦,可以让 chatgpt 生成一个,这里使用 centos7 的 curl.spec 进行修改

安装依赖

编译时需要安装一些 build 时的依赖包

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

yum install -y automake \
  groff \
  krb5-devel \
  libidn-devel \
  libssh2-devel \
  nss-devel \
  openldap-devel \
  openssh-clients \
  openssh-server \
  pkgconfig \
  stunnel \
  zlib-devel

安装 rpmbuild

bash
1

sudo yum install -y rpm-build redhat-rpm-config rpmdevtools

创建工作目录

rpmbuild 构建时是需要固定格式的目录的工作目录,下面将创建

bash
1

mkdir -pv ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}

准备资源和规格文件

将准备好的规格文件 (.spec) 和源码包放置对应目录下

  • .spec 放置 SPECS 目录下
  • 源码包放置 SOURCES 下

构建 rpm 包

bash
1

rpmbuild -ba rpmbuild/SPECS/curl.spec

如果不是在 ~ 目录执行,而是指定目录可以用下面命令,将变量 ${RPM_WORK_DIR} 替换为你的目录

bash
1

rpmbuild --define "_topdir ${RPM_WORK_DIR}" -ba ${RPM_WORK_DIR}/SPECS/kubernetes.spec

执行成功的日志如下

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

Obsoletes: curl-devel < 8.4.0-1.el7.1
Processing files: curl-debuginfo-8.4.0-1.el7.1.x86_64
Provides: curl-debuginfo = 8.4.0-1.el7.1 curl-debuginfo(x86-64) = 8.4.0-1.el7.1
Requires(rpmlib): rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/curl-8.4.0-1.el7.1.x86_64
warning: Installed (but unpackaged) file(s) found:
   /usr/lib64/libcurl.a
Wrote: /root/rpmbuild/SRPMS/curl-8.4.0-1.el7.1.src.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/curl-8.4.0-1.el7.1.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/libcurl-8.4.0-1.el7.1.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/libcurl-devel-8.4.0-1.el7.1.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/curl-debuginfo-8.4.0-1.el7.1.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.mC4nLf
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd curl-8.4.0
+ rm -rf /root/rpmbuild/BUILDROOT/curl-8.4.0-1.el7.1.x86_64
+ exit 0

更新curl rpm包

构建好的包在 rpmbuild 工作目录下的 RPMS/x86_64 目录下,进入直接安装 rpm 包即可完成升级

bash
1
2
3
4
5
6
7
8

$ cd rpmbuild/RPMS/x86_64/
$ ll
total 3284
-rw-r--r-- 1 root root  358040 Oct 14 21:44 curl-8.4.0-1.el7.1.x86_64.rpm
-rw-r--r-- 1 root root 1786336 Oct 14 21:44 curl-debuginfo-8.4.0-1.el7.1.x86_64.rpm
-rw-r--r-- 1 root root  278012 Oct 14 21:44 libcurl-8.4.0-1.el7.1.x86_64.rpm
-rw-r--r-- 1 root root  930532 Oct 14 21:44 libcurl-devel-8.4.0-1.el7.1.x86_64.rpm
$ yum update libcurl-8.4.0-1.el7.1.x86_64.rpm curl-8.4.0-1.el7.1.x86_64.rpm

image-20231014143647542

由图可见,直接是可以完成安装的

更新完后检查版本信息

bash
1
2
3
4
5

$ curl -V
curl 8.4.0 (x86_64-redhat-linux-gnu) libcurl/8.4.0 OpenSSL/1.0.2k-fips zlib/1.2.7 OpenLDAP/2.4.44
Release-Date: 2023-10-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz NTLM SSL UnixSockets

此时完成了 curl 的更新,这里更新了 curl 与 libcurl 到 8.4.0,成功的修补了漏洞

Notes:

  • CentOS 6下构建时注意取消 regenerate Makefile.in files,
  • valgrind 是一款提升测试覆盖率的工具,可以不依赖
  • 其余依赖自行选择,无需官方所有依赖

Reference

[1] CVE-2023-38545

[2] CVE-2023-38546

[3] curl download

[4] curl.spec