deps: Bump com_github_curl -> 8.9.1 (envoyproxy#35688)

Fix envoyproxy#35686 and resolve related CVE ```console CVE-2024-7264 ([email protected]) CVSS v3 score: 6.5 Severity: MEDIUM Published date: 2024-07-31 Last modified date: 2024-08-12 Description: libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. Affected CPEs: - cpe:2.3:a:haxx:libcurl:* ``` Signed-off-by: Ryan Northey <[email protected]>
linux-on-ibm-z · Aug 14, 2024 · 3299053 · 3299053
1 parent 30e0508
commit 3299053
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 19 deletions.
diff --git a/bazel/foreign_cc/curl.patch b/bazel/foreign_cc/curl.patch
@@ -3,12 +3,12 @@
 #Date:   Tue Dec 22 15:31:03 2020 -0500
 #
 #    cmake: Add an option to disable libidn2
-#    
+#
 #    New option USE_LIBIDN2 defaults to ON for libidn2 detection. Prior to
 #    this change libidn2 detection could not be turned off in cmake builds.
-#    
+#
 #    Reported-by: William A Rowe Jr
-#    
+#
 #    Fixes https://github.com/curl/curl/issues/6361
 #    Closes #xxxx
 #
@@ -17,47 +17,48 @@
 #Date:   Wed Oct 7 14:32:49 2020 -0500
 #
 #    Correct fragile windows assumptions
-#    
+#
 #    - Locking CMake to 3.16 breaks all features and corrections applied to
 #      CMake 3.17 and later, including the correction of the poorly designed
 #      and now abandoned Windows CRT election policy CMP0091 (see final para
 #      of the policy description here:
 #      https://cmake.org/cmake/help/v3.18/policy/CMP0091.html). Locking to
 #      rev 3.16 from ensures a more difficult transition to CMake-current
-#    
+#
 #    - Windows curl builds previously only adjusted the Release and Debug
 #      builds, and combined with CMP0091 to break other flavors. Update any
 #      /MD* flags with /MT* present in the base and four alternate build
 #      flavors, without introducing conflicting flag values or introducing
 #      a CRT election where one is not present
-#    
+#
 #    - Windows clang-cl builds of curl static libs are broken when using
 #      link-lld.exe because curl appended the dynamic run time flags to the
 #      static library lib.exe options. While these were ignored/no-op on
 #      Windows link.exe, they cause link-lld from LLVM/clang-cl compile
 #      toolchain to fail to parse the library command.
-#    
+#
 #    Summary exists in this bazel-specific bug report;
 #    https://github.com/bazelbuild/rules_foreign_cc/issues/426
 diff --git a/CMakeLists.txt b/CMakeLists.txt
-index ed60f07bc..0d2088cb9 100644
+index 580cc4357..13df6ca54 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
-@@ -62,6 +62,11 @@
-
+@@ -44,6 +44,12 @@
+ # variable is NOT DEFINED, the symbol detection will be performed.
+
  cmake_minimum_required(VERSION 3.7...3.16 FATAL_ERROR)
- 
++
 +# Revert CMake bug triggered by curl's defined max CMake policy version, see https://gitlab.kitware.com/cmake/cmake/-/issues/21288
 +if(POLICY CMP0091)
 +  cmake_policy(SET CMP0091 OLD)
 +endif()
 +
+ message(STATUS "Using CMake version ${CMAKE_VERSION}")
+
  set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}")
- include(Utilities)
- include(Macros)
-@@ -306,9 +311,12 @@ if(ENABLE_MANUAL)
+@@ -328,9 +334,12 @@ if(ENABLE_CURL_MANUAL OR BUILD_LIBCURL_DOCS)
  endif()
- 
+
  if(CURL_STATIC_CRT)
 -  set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
 -  set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} /MT")
@@ -69,5 +70,5 @@ index ed60f07bc..0d2088cb9 100644
 +    endif()
 +  endforeach()
  endif()
- 
+
  # Disable warnings on Borland to avoid changing 3rd party code.
diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -1150,8 +1150,8 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "curl",
         project_desc = "Library for transferring data with URLs",
         project_url = "https://curl.haxx.se",
-        version = "8.4.0",
-        sha256 = "816e41809c043ff285e8c0f06a75a1fa250211bbfb2dc0a037eeef39f1a9e427",
+        version = "8.9.1",
+        sha256 = "291124a007ee5111997825940b3876b3048f7d31e73e9caa681b80fe48b2dcd5",
         strip_prefix = "curl-{version}",
         urls = ["https://github.com/curl/curl/releases/download/curl-{underscore_version}/curl-{version}.tar.gz"],
         use_category = ["dataplane_ext", "observability_ext"],
@@ -1161,7 +1161,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
             "envoy.grpc_credentials.aws_iam",
             "envoy.tracers.opencensus",
         ],
-        release_date = "2023-10-11",
+        release_date = "2024-07-31",
         cpe = "cpe:2.3:a:haxx:libcurl:*",
         license = "curl",
         license_url = "https://github.com/curl/curl/blob/curl-{underscore_version}/COPYING",