[20.03] curl: update CVE patch hashes for extra digits added to index line

[twhitehead]

Motivation for this change

The fetched CVE patches for curl changed so the hashes no longer agree.

Things done

I diffed the old and new versions. It seems github just added extra digits to the index lines. For example

diff -U2 /nix/store/4psjdyqqf4wb4cv8ijds35cpqnmyjd5p-CVE-2020-8169.patch /nix/store/rsx49gzgb1fgylyh8cggnd92nx0hl9gw-CVE-2020-8169.patch

--- /nix/store/4psjdyqqf4wb4cv8ijds35cpqnmyjd5p-CVE-2020-8169.patch	1969-12-31 19:00:01.000000000 -0500
+++ /nix/store/rsx49gzgb1fgylyh8cggnd92nx0hl9gw-CVE-2020-8169.patch	1969-12-31 19:00:01.000000000 -0500
@@ -17,5 +17,5 @@
 
 diff --git a/lib/url.c b/lib/url.c
-index f250f2ff20a..9b8b2bdde64 100644
+index f250f2ff20a3..9b8b2bdde640 100644
 --- a/lib/url.c
 +++ b/lib/url.c
@@ -38,5 +38,5 @@
    }
 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 004a90b2360..bb6bf0f2fd0 100644
+index 004a90b23608..bb6bf0f2fd06 100644
 --- a/tests/data/Makefile.inc
 +++ b/tests/data/Makefile.inc
@@ -51,5 +51,5 @@
 diff --git a/tests/data/test1168 b/tests/data/test1168
 new file mode 100644
-index 00000000000..283e91e0197
+index 000000000000..283e91e01974
 --- /dev/null
 +++ b/tests/data/test1168

so I just updated the hashes to match the new versions.

If this causes some sort of mass rebuild, perhaps a better solution would be to just add the old ones directly to nixpkgs to avoid having to changes any hashes. If you would prefer that, let me know and I will change it.

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[twhitehead]

Actually, I see the newer versions of the curl file have a big comment right at the top that says

Note: this package is used for bootstrapping fetchurl, and thus cannot use fetchpatch! All mutable patches (generated by GitHub or cgit) that are needed here should be included directly in Nixpkgs as files.

so I'll update this pull request to directly include the patches instead.

[twhitehead]

Ok. I've updated the pull request to actually include the patch. Unfortunately it seems this still results in a rebuild of curl as, at least, the ultimate store path for a file is different if you fetch it vs you directly reference it as a file path.

CCing @edolstra as this last bit seems a bit strange. I would have thought including a patch vs fetching it should not cause a rebuild as both would be the same fixed output. Fetching it vs referencing it ultimately gives two different paths, respectively

/nix/store/4psjdyqqf4wb4cv8ijds35cpqnmyjd5p-CVE-2020-8169.patch
/nix/store/f1wi4gqnkjxf0sfnc8k4fvgwrc4yir6g-CVE-2020-8169.patch

that are yet clearly the same file

diff -U2 \
  /nix/store/4psjdyqqf4wb4cv8ijds35cpqnmyjd5p-CVE-2020-8169.patch \
  /nix/store/f1wi4gqnkjxf0sfnc8k4fvgwrc4yir6g-CVE-2020-8169.patch \
&& echo the same

the same

[doronbehar]

The commit message should change.

[twhitehead]

The commit message should change.

New commit message is curl: fix hash mismatch issue by directly include CVE patches.

[erictapen]

Verified that the checked in patches are those behind the URLs. Thanks!

[erictapen]

I just noticed this was for 20.03, not 20.09. I'm not sure the staging branch for 20.03 is still merged into release-20.03 regularly?

[twhitehead]

Sorry. Sounds like I should have put in the request against release-20.03.

I can do a new pull request against release-20.03 if you want?

[erictapen]

Nah, I just merged it into release-20.03: 1eea371

Just to make sure: You are aware that NixOS 20.03 is end of life for about five months now? So no guarantees about security fixes being backported.

[twhitehead]

no guarantees about security fixes being backported.

Got it. Thanks! 👍