From 21db980e6f6bb129fd973cb247702e6d1ecdf279 Mon Sep 17 00:00:00 2001
From: Morgan Jones <me@numin.it>
Date: Wed, 28 May 2025 00:26:24 -0700
Subject: [PATCH] curl: patch CVE-2025-4947 and CVE-2025-5025 for WolfSSL
 backend

- https://curl.se/docs/CVE-2025-4947.html
- https://www.openwall.com/lists/oss-security/2025/05/28/4
- https://curl.se/docs/CVE-2025-5025.html
- https://www.openwall.com/lists/oss-security/2025/05/28/5

Co-authored-by: Sefa Eyeoglu <contact@scrumplex.net>
---
 pkgs/by-name/cu/curlMinimal/package.nix | 28 +++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix
index 9f3b02d2fc59..ec012ab2bb37 100644
--- a/pkgs/by-name/cu/curlMinimal/package.nix
+++ b/pkgs/by-name/cu/curlMinimal/package.nix
@@ -103,10 +103,30 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-Sgk5eaPC0C3i+8AFSaMncQB/LngDLG+qXs0vep4VICU=";
   };
 
-  patches = [
-    # Backport of https://github.com/curl/curl/commit/5fbd78eb2dc4afbd8884e8eed27147fc3d4318f6
-    ./0001-http2-fix-stream-window-size-after-unpausing.patch
-  ];
+  patches =
+    [
+      # Backport of https://github.com/curl/curl/commit/5fbd78eb2dc4afbd8884e8eed27147fc3d4318f6
+      ./0001-http2-fix-stream-window-size-after-unpausing.patch
+    ]
+    ++ lib.optionals wolfsslSupport [
+      (fetchpatch {
+        # https://curl.se/docs/CVE-2025-4947.html backported to 8.13. Remove when version is bumped to 8.14.
+        # Note that this works since fetchpatch uses curl, but does not use WolfSSL.
+        name = "curl-CVE-2025-4947.patch";
+        url = "https://github.com/curl/curl/commit/a85f1df4803bbd272905c9e7125.diff";
+        hash = "sha256-z4IYAkg/RylTs1m8tbwI2tVqTCHkIpmkzdFBcRBJmH4=";
+
+        # All the test patches fail to apply (seemingly, they were added for 8.14)
+        includes = [ "lib/vquic/vquic-tls.c" ];
+      })
+      (fetchpatch {
+        # https://curl.se/docs/CVE-2025-5025.html backported to 8.13. Remove when version is bumped to 8.14.
+        # Note that this works since fetchpatch uses curl, but does not use WolfSSL.
+        name = "curl-CVE-2025-5025.patch";
+        url = "https://github.com/curl/curl/commit/e1f65937a96a451292e92313396.diff";
+        hash = "sha256-9k05eDGUA7XT+H4p8H8v0lYXC4cW7W2uvO+z4gLapX4=";
+      })
+    ];
 
   # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion
   # necessary for FreeBSD code path in configure