From: "Lewis G Rosenthal" <gnuports@2rosenthals.com>
Received: from [192.168.100.201] (account lgrosenthal@2rosenthals.com HELO [192.168.100.22])
  by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10)
  with ESMTPSA id 11710012 for gnuports@2rosenthals.com; Fri, 03 Jan 2025 17:17:26 -0500
Subject: Re: [GNU Ports] cURL vulnerabilities
To: GNU Ports for eCS Mailing List <gnuports@2rosenthals.com>
References: <list-11700411@2rosenthals.com>
 <3adea6bc-e344-47bd-8970-3a6bcbc6f9a0@smedley.id.au>
 <list-11700553@2rosenthals.com> <list-11700589@2rosenthals.com>
 <list-11700591@2rosenthals.com> <list-11700620@2rosenthals.com>
 <list-11700629@2rosenthals.com>
Organization: Rosenthal & Rosenthal, LLC
Message-ID: <677861F4.5090801@2rosenthals.com>
Date: Fri, 3 Jan 2025 17:17:24 -0500
User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0
 SeaMonkey/2.35
MIME-Version: 1.0
In-Reply-To: <list-11700629@2rosenthals.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Aha!

On 01/03/25 04:16 pm, Paul Smedley wrote:
> Hey Lewis,
>
> On 4/1/25 07:37, Lewis G Rosenthal wrote:
>> On 01/03/25 03:49 pm, Paul Smedley wrote:
>>> Hey again,
>>>
>>> On 4/1/25 07:17, Lewis G Rosenthal wrote:
>>>> Hi...
>>>>
>>>> On 01/03/25 03:21 pm, Paul Smedley wrote:
>>>>> Hi Again,
>>>>>
>>>>> On 4/1/25 06:38, Paul Smedley wrote:
>>>>>> Hey Lewis,
>>>>>>
>>>>>> On 4/1/25 04:24, Lewis G Rosenthal wrote:
>>>>>>> Trying to build 8.11.1 (latest), I didn't get very far (nothing 
>>>>>>> useful). Before I dive into it, I was just wondering if anyone else 
>>>>>>> had had any greater success. 7.75.0 seems quite outdated for 
>>>>>>> something with security implications.
>>>>>>>
>>>>>> I got configure to run, let's see if I get a curl.exe
>>>>>>
>>>>> Untested.... https://smedley.id.au/tmp/curl-8.11.1-os2-20250104.zip
>>>>>
>>>>
>>>> :-D
>>>>
>>>> Somehow, every time I ask a question here, someone actually does the 
>>>> work for me. The upside is I get what I want, but the downside is that 
>>>> my own skills don't get any better. LOL
>>>>
>>>> Thanks, Paul. I'll give this a whirl right now and see what we get.
>>>>
>>> If you prefer... https://smedley.id.au/curl-8.11.1-os2-20250104b.zip has 
>>> a curl4.dll rather than being statically linked, so should be able to be 
>>> used with other apps.
>>>
>>
>> Hmmm... Neither package seems to have an exe, however.
>
> <sigh> there was definitely an exe when I built it, make install just 
> decided not to copy it over I guess.
>
> https://smedley.id.au/curl-8.11.1-os2-20250104b.zip is refreshed now.
>

;-)

>>
>>> What issues were you having building it?
>>>
>>
>> Perhaps the setup is not what I'm getting. Seeing configure.ac in the 
>> root of the source tree, I ran autoconf, first. This got me:
>>
>> # autoconf
>> configure.ac:24: error: possibly undefined macro: dnl
>>       If this token and others are legitimate, please use m4_pattern_allow.
>>       See the Autoconf documentation.
>> configure.ac:43: error: possibly undefined macro: AM_MAINTAINER_MODE
>> configure.ac:47: error: possibly undefined macro: AM_CONDITIONAL
>> configure.ac:73: error: possibly undefined macro: AC_MSG_ERROR
>> configure.ac:97: error: possibly undefined macro: AC_MSG_RESULT
>> configure.ac:617: error: possibly undefined macro: AM_COND_IF
>> configure.ac:677: error: possibly undefined macro: AC_DEFINE
>>
>> Not taking the time to research any of that, I forged ahead, now that I 
>> had a configure script, I forged ahead, without any options:
>>
>> # ./configure
>> ./configure: 2743: ./configure: XC_OVR_ZZ50: not found
>> ./configure: 2744: ./configure: XC_OVR_ZZ60: not found
>> ./configure: 2745: ./configure: CURL_OVERRIDE_AUTOCONF: not found
>> ./configure: 2753: ./configure: AM_MAINTAINER_MODE: not found
>> ./configure: 2756: ./configure: CURL_CHECK_OPTION_DEBUG: not found
>> ./configure: 2757: ./configure: Syntax error: word unexpected (expecting 
>> ")")
>>
>> At that point, I figured I'd ask if there was a newer build available. :-)
>>
>> I guess I could disable some stuff to get this working. I just haven't 
>> taken the time to look any further (yet).
>>
> My first build was with stock configure from the tar.xz
>
> I then re-ran autotools... (man I have autotools)
>
> aclocal
>
> autoheader
>
> automake
>
> libtoolize --force
>
> autoconf
>
> and re-ran configure to get the DLL.
>

Clearly, I need to do some reading. I use autotools once in a blue moon (and 
that's probably more frequently than I really do). Where is it written that 
these are the tools to use in this order?

I had to run:

automake --add-missing

Then, I had to specify a TLS backend:

./configure --with-openssl

and:

yum install libpsl-devel (oops)

Ended up with:

config.status: error: cannot find input file: `Makefile.in'

and config.log ends with:

configure: exit 1

:-(

Now to go through the log and figure out what really ran off the rails.

Meanwhile, I'll give your exe a spin.

Thanks!

-- 
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
visit my IT blog                www.2rosenthals.net/wordpress
-------------------------------------------------------------