curl: add patches for CVE-2021-22897, CVE-2021-22898 & CVE-2021-22901

[risicle]

Motivation for this change

The bump covering these CVEs, #124502, has some complications around darwin support. Patching these vulnerabilities would allow us to come up with a solution without the security monkey on our backs.

Patches for curl need to be taken in-repo, and CVE-2021-22901's additionally need some adjustment.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Added a release notes entry if the change is major or breaking
• Fits CONTRIBUTING.md.

[r-rmcgibbo]

Result of nixpkgs-review pr 124982 at 742c60f run on x86_64-linux 1

163 packages marked as broken and skipped:

• adobe-reader
• adoptopenjdk-hotspot-bin-13
• adoptopenjdk-hotspot-bin-14
• adoptopenjdk-jre-hotspot-bin-13
• adoptopenjdk-jre-hotspot-bin-14
• adoptopenjdk-jre-openj9-bin-13
• adoptopenjdk-jre-openj9-bin-14
• adoptopenjdk-openj9-bin-13
• adoptopenjdk-openj9-bin-14
• airtame
• attract-mode
• autotrace
• blastem
• cassandra_2_1
• cassandra_2_2
• clang-sierraHack
• clang-sierraHack-stdenv
• clickshare-csc1
• curaByDagoma
• cura_stable
• darwin.CF
• dcraw
• displaycal
• dr14_tmeter
• dvd-slideshow
• eagle7
• electron_3
• electron_4
• electron_5
• epsxe
• erlang_basho_R16B02
• eterm
• evilvte
• ffmpeg_2
• ffmpeg_2_8
• ffmpeg_3
• ffmpeg_3_4
• git-dit
• gitin
• globalplatform
• gnash
• gnuradio3_7
• gnuradio3_7Packages.ais
• gnuradio3_7Packages.gnuradio
• gnuradio3_7Packages.gsm
• gnuradio3_7Packages.limesdr
• gnuradio3_7Packages.nacl
• gnuradio3_7Packages.osmosdr
• gnuradio3_7Packages.rds
• go_1_14
• gogoclient
• googleearth-pro
• gppcscconnectionplugin
• gpshell
• grass
• green-pdfviewer
• gtmess
• gvisor
• hadoop
• hadoop_2_7
• hadoop_2_8
• hadoop_2_9
• hplipWithPlugin_3_16_11
• hplipWithPlugin_3_18_5
• hplip_3_16_11
• hplip_3_18_5
• hydrus
• impressive
• intecture-cli
• invoice2data
• jboss
• jfbpdf
• jfbview
• julia
• julia-lts
• julia_10
• k2pdfopt
• keyfinder
• libav
• libav_0_8
• libav_11
• libav_12
• libgit2_0_27
• libgroove
• libnats-c
• libvirt_5_9_0
• linuxPackages_hardkernel_4_14.akvcam
• linuxPackages_hardkernel_4_14.amdgpu-pro
• linuxPackages_hardkernel_4_14.bcc
• linuxPackages_hardkernel_4_14.bpftrace
• linuxPackages_hardkernel_4_14.dpdk
• linuxPackages_hardkernel_4_14.openrazer
• linuxPackages_hardkernel_4_14.prl-tools
• linuxPackages_hardkernel_4_14.sysdig
• linuxPackages_hardkernel_4_14.virtualbox
• linuxPackages_hardkernel_4_14.virtualboxGuestAdditions
• linuxPackages_hardkernel_4_14.xpadneo
• linuxPackages_hardkernel_4_14.zfs
• linuxPackages_hardkernel_4_14.zfsStable
• linuxPackages_hardkernel_4_14.zfsUnstable
• linuxPackages_hardkernel_latest.akvcam
• linuxPackages_hardkernel_latest.amdgpu-pro
• linuxPackages_hardkernel_latest.bcc
• linuxPackages_hardkernel_latest.bpftrace
• linuxPackages_hardkernel_latest.dpdk
• linuxPackages_hardkernel_latest.openrazer
• linuxPackages_hardkernel_latest.prl-tools
• linuxPackages_hardkernel_latest.sysdig
• linuxPackages_hardkernel_latest.virtualbox
• linuxPackages_hardkernel_latest.virtualboxGuestAdditions
• linuxPackages_hardkernel_latest.xpadneo
• linuxPackages_hardkernel_latest.zfs
• linuxPackages_hardkernel_latest.zfsStable
• linuxPackages_hardkernel_latest.zfsUnstable
• loxodo
• metamorphose2
• mfcl8690cdwcupswrapper
• mrxvt
• mupdf_1_17
• natron
• nomad_0_12
• obinskit
• ocropus
• odpdown
• openrw
• openssh_gssapi
• openssh_hpn
• opentsdb
• oven-media-engine
• ovftool
• pbis-open
• pcsxr
• pdfdiff
• pdfread
• pgadmin
• pig
• plover.stable
• rainbowstream
• riak
• ring-daemon
• scallion
• scribus
• scyther
• shellinabox
• spark
• staruml
• stepmania
• swftools
• swift
• termplay
• torchat
• tvheadend
• twinkle
• unicap
• vdrPlugins.markad
• vdrPlugins.vaapidevice
• vdrPlugins.xineliboutput
• vp
• winpdb
• xpdf
• xsw
• yaxg
• zgv

22187 packages skipped due to time constraints:

• AusweisApp2
• CHOWTapeModel
• DisnixWebService
• EBTKS
• EmptyEpsilon
• Fabric (python38Packages.Fabric)
• LAStools
• LASzip
• LASzip2
• Literate
• ...

44 packages built successfully:

• arpa2cm
• brotli
• cgreen
• cmake
• curl
• curlMinimal
• dehydrated
• eigen
• gdb
• ghc_filesystem
• gi-docgen
• gtk-doc (gnome2.gtkdoc)
• graphite2
• ilmbase
• json_c
• lcms2
• libcbor
• libdevil-nox
• libipt
• libjpeg (libjpeg_turbo)
• libmicrohttpd (libmicrohttpd_0_9_71)
• libmng
• libmysqlclient (libmysqlclient_3_1 ,mariadb-connector-c ,mariadb-connector-c_3_1)
• libstemmer
• libtiff
• libwebp
• octomap
• openexr
• passExtensions.pass-checkup
• pcmsolver
• poppler_data
• python38Packages.PyStemmer
• python38Packages.cython
• python38Packages.lxml
• python38Packages.markdown
• python38Packages.pydocstyle
• python38Packages.pylama
• python38Packages.pyyaml
• python38Packages.snowballstemmer
• soxr
• usrsctp
• vulkan-headers
• woff2
• zeromq (zeromq4)

3 suggestions:

• warning: missing-patch-comment

  Consider adding a comment explaining the purpose of this patch on the line preceeding.
  Near pkgs/tools/networking/curl/default.nix:56:5:

     |
  56 |     ./CVE-2021-22897.patch
     |     ^
  
• warning: missing-patch-comment

  Consider adding a comment explaining the purpose of this patch on the line preceeding.
  Near pkgs/tools/networking/curl/default.nix:57:5:

     |
  57 |     ./CVE-2021-22898.patch
     |     ^
  
• warning: missing-patch-comment

  Consider adding a comment explaining the purpose of this patch on the line preceeding.
  Near pkgs/tools/networking/curl/default.nix:58:5:

     |
  58 |     ./CVE-2021-22901.patch
     |     ^
  

[SuperSandro2000]

Did we consider leaving an older version of curl just for darwin?

[risicle]

I think we'd have to be in a considerably deeper hole before we considered something like that. We'd be committing to backporting security fixes for a longer term and the version split would be ... weird.

[github-actions]

Successfully created backport PR #125309 for staging-21.05.