Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Vuln for dependency] Please release new .whl files by using newest curl #6900

Open
3 tasks done
F0otman opened this issue Jul 29, 2024 · 2 comments · May be fixed by #7021
Open
3 tasks done

[Vuln for dependency] Please release new .whl files by using newest curl #6900

F0otman opened this issue Jul 29, 2024 · 2 comments · May be fixed by #7021

Comments

@F0otman
Copy link

F0otman commented Jul 29, 2024

Checklist

My Question

The release files are using curl 7.X, but these softwares have many vulnerabilities
(See https://curl.se/docs/vulnerabilities.html)

Could u release new .whl files for cp11 & cp10 by using curl 8.9.0 ( it's also kind to update a new tag)? Our customers claimed me the Open3D contains the vluns by dependenying old version of curl

@timohl
Copy link
Contributor

timohl commented Jul 29, 2024

Here are the spots that have to change if anybody wants to upgrade:

This is for building from source:

if(BUILD_CURL_FROM_SOURCE)
ExternalProject_Add(
ext_curl
PREFIX curl
URL https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.xz
URL_HASH SHA256=fd17432cf28714a4cf39d89e26b8ace0d8901199fe5d01d75eb0ae3bbfcc731f

This also requires prebuilt curl to be uploaded in https://github.com/isl-org/open3d_downloads:

else()
# Optimize for Ubuntu x86. Curl can take a long time to configure.
#
# To generate pre-compiled curl:
# 1. Use Ubuntu 18.04 (eg. in docker), not 20.04+.
# 2. -DBUILD_CURL_FROM_SOURCE=ON, build Open3D: make ext_curl
# 3. cd build/curl
# 4. tar -czvf curl_7.88.0_linux_x86_64.tar.gz include lib
ExternalProject_Add(
ext_curl
PREFIX curl
URL https://github.com/isl-org/open3d_downloads/releases/download/boringssl-bin/curl_7.88.0_linux_x86_64.tar.bz2
URL_HASH SHA256=745f33ad65c550e1885a5341945a8a952123565cfb83b477433f3784857ec0ea

Also the readme gotta change (which already seems out of date):

Open3D/3rdparty/README.md

Lines 119 to 123 in f02e7d2

--------------------------------------------------------------------------------
curl 7.79.1 Curl license
Curl is a command-line tool for transferring data specified with URL syntax.
https://github.com/curl/curl
--------------------------------------------------------------------------------

Sorry, I currently have no time to test building with latest curl and I am not sure how to upload anython to https://github.com/isl-org/open3d_download, but I hope that helps if you would like to create a pull request yourself.

@ssheorey
Copy link
Member

Thanks @timohl for looking into this. I think this should be a quick / short PR. To upload to open3d_download, just upload the binary somewhere and make sure to add its SHA256 sum to the Open3D PR. Small files can be pllaced directly in the PR with a note and I'll move it to open3d_download, as long as the sha256sum matches.

Labelling as "good first issue" for someone to pick this up.

@ssheorey ssheorey added this to the v0.19 milestone Jul 30, 2024
@ssheorey ssheorey moved this to Backlog in Open3D 2024 Aug 13, 2024
@Kim-jy0819 Kim-jy0819 linked a pull request Oct 22, 2024 that will close this issue
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Backlog
Development

Successfully merging a pull request may close this issue.

3 participants