Consider minimizing curl

[bgilbert]

curl and libcurl are a significant source of CVEs. Since the beginning of 2018, there have been 15. Six of those have been in the core, or in relevant functionality like HTTP and FTP. The rest have been in code to support NTLM, POP3, IMAP, SMTP, RTSP, or LDAP.

To reduce our attack surface, consider shipping an alternate build of curl that disables all protocols except HTTP(S), FTP, and maybe TFTP.

-minimal builds

curl.spec includes curl-minimal and libcurl-minimal packages, but they don't seem to be quite what we want.

Full builds:

curl 7.64.0 (x86_64-redhat-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1b zlib/1.2.11 brotli/1.0.7 libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.7/openssl/zlib nghttp2/1.38.0
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink 

-minimal builds:

curl 7.64.0 (x86_64-redhat-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1b zlib/1.2.110
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb  
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL lib 

If we shipped the -minimal builds, we'd lose IDN, HTTP2, TFTP, and libz, but still retain NTLM, IMAP, POP, dict, and Gopher.

[dustymabe]

Note that in rawhide right now (37.20220428.91.0) the library is now the minimal version:

$ rpm -qa | grep curl 
libcurl-minimal-7.83.0-1.fc37.x86_64
curl-7.83.0-1.fc37.x86_64

The two deps on curl are:

$ rpm -e curl                                              
error: Failed dependencies:                                                                                                                                  
        curl is needed by (installed) rpm-4.18.0-0.alpha1.5.fc37.x86_64
        curl is needed by (installed) clevis-18-6.fc36.x86_64

and I can replace it with the minimal version:

sudo rpm-ostree override remove curl --install curl-minimal
...
Removed:
  curl-7.83.0-1.fc37.x86_64
Added:
  curl-minimal-7.83.0-1.fc37.x86_64

so theoretically we should just be able to update the manifests to specify curl-minimal.

[dustymabe]

[core@cosa-devsh ~]$ rpm -q curl-minimal
curl-minimal-7.83.0-1.fc37.x86_64

[core@cosa-devsh ~]$ curl --version
curl 7.83.0 (x86_64-redhat-linux-gnu) libcurl/7.83.0 OpenSSL/3.0.2 zlib/1.2.11 libidn2/2.3.2 nghttp2/1.47.0
Release-Date: 2022-04-27
Protocols: file ftp ftps http https 
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz SPNEGO SSL UnixSockets

[jlebon]

The first comment mentions we'd lose TFTP support, but we now officially support TFTP rootfs URLs: coreos/fedora-coreos-config#1526. Wouldn't we regress on that if we switched?

[dustymabe]

In that case there's nothing we can do and we should close this out?

That being said, I wonder if we can or should make it more explicit that we require curl now. i.e. if those RPMs had switched to requiring curl-minimal we would have lost this functionality.

I wish we could iterate over our scripts and autogenerate rpm requires and make sure those deps are satisfied.

[jlebon]

I think it makes sense indeed to explicitly list curl in the manifest now.

[dustymabe]

coreos/fedora-coreos-config#1707

Once that merges I'd say we can close this as I doubt we're going to drop tftp support.

[bgilbert]

Good catch @jlebon. That brings us back to where we were, which is that we'd need to make a custom subpackage. Sadly I don't think we're likely to do that, so closing.