From e900177a83b67fd52fd53e16308c1eace562ec44 Mon Sep 17 00:00:00 2001
From: Bradley Dice <bdice@bradleydice.com>
Date: Tue, 10 Dec 2024 11:38:11 -0600
Subject: [PATCH] Use curl >=8.5.0 to align with conda-forge and avoid CVEs.
 (#574)

This PR uses `libcurl` 8.5.0 at build time, and should permit
`>=8.5.0,<9.0a0` at runtime. This is needed to align with conda-forge
which uses `libcurl` 8, and also gets a new enough minor version to
avoid some known CVEs.

---------

Co-authored-by: jakirkham <jakirkham@gmail.com>
---
 conda/environments/all_cuda-118_arch-aarch64.yaml | 2 +-
 conda/environments/all_cuda-118_arch-x86_64.yaml  | 2 +-
 conda/environments/all_cuda-125_arch-aarch64.yaml | 2 +-
 conda/environments/all_cuda-125_arch-x86_64.yaml  | 2 +-
 conda/recipes/kvikio/conda_build_config.yaml      | 2 +-
 conda/recipes/libkvikio/conda_build_config.yaml   | 2 +-
 cpp/cmake/thirdparty/get_libcurl.cmake            | 4 ++--
 dependencies.yaml                                 | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/conda/environments/all_cuda-118_arch-aarch64.yaml b/conda/environments/all_cuda-118_arch-aarch64.yaml
index 7fee941a1d..b94c2b8780 100644
--- a/conda/environments/all_cuda-118_arch-aarch64.yaml
+++ b/conda/environments/all_cuda-118_arch-aarch64.yaml
@@ -17,7 +17,7 @@ dependencies:
 - cython>=3.0.0
 - doxygen=1.9.1
 - gcc_linux-aarch64=11.*
-- libcurl>=7.87.0
+- libcurl>=8.5.0,<9.0a0
 - moto>=4.0.8
 - ninja
 - numcodecs !=0.12.0
diff --git a/conda/environments/all_cuda-118_arch-x86_64.yaml b/conda/environments/all_cuda-118_arch-x86_64.yaml
index b89468e062..87d6fc1025 100644
--- a/conda/environments/all_cuda-118_arch-x86_64.yaml
+++ b/conda/environments/all_cuda-118_arch-x86_64.yaml
@@ -19,7 +19,7 @@ dependencies:
 - gcc_linux-64=11.*
 - libcufile-dev=1.4.0.31
 - libcufile=1.4.0.31
-- libcurl>=7.87.0
+- libcurl>=8.5.0,<9.0a0
 - moto>=4.0.8
 - ninja
 - numcodecs !=0.12.0
diff --git a/conda/environments/all_cuda-125_arch-aarch64.yaml b/conda/environments/all_cuda-125_arch-aarch64.yaml
index e12ab092ef..1ace3210a8 100644
--- a/conda/environments/all_cuda-125_arch-aarch64.yaml
+++ b/conda/environments/all_cuda-125_arch-aarch64.yaml
@@ -18,7 +18,7 @@ dependencies:
 - doxygen=1.9.1
 - gcc_linux-aarch64=11.*
 - libcufile-dev
-- libcurl>=7.87.0
+- libcurl>=8.5.0,<9.0a0
 - moto>=4.0.8
 - ninja
 - numcodecs !=0.12.0
diff --git a/conda/environments/all_cuda-125_arch-x86_64.yaml b/conda/environments/all_cuda-125_arch-x86_64.yaml
index 131efa85d5..25b6a075de 100644
--- a/conda/environments/all_cuda-125_arch-x86_64.yaml
+++ b/conda/environments/all_cuda-125_arch-x86_64.yaml
@@ -18,7 +18,7 @@ dependencies:
 - doxygen=1.9.1
 - gcc_linux-64=11.*
 - libcufile-dev
-- libcurl>=7.87.0
+- libcurl>=8.5.0,<9.0a0
 - moto>=4.0.8
 - ninja
 - numcodecs !=0.12.0
diff --git a/conda/recipes/kvikio/conda_build_config.yaml b/conda/recipes/kvikio/conda_build_config.yaml
index 639a56f509..776c2623e5 100644
--- a/conda/recipes/kvikio/conda_build_config.yaml
+++ b/conda/recipes/kvikio/conda_build_config.yaml
@@ -30,7 +30,7 @@ cuda11_libcufile_run_version:
   - ">=1.0.0.82,<=1.4.0.31"
 
 libcurl_version:
-  - "==7.87.0"
+  - "==8.5.0"
 
 nvcomp_version:
   - "=4.1.0.6"
diff --git a/conda/recipes/libkvikio/conda_build_config.yaml b/conda/recipes/libkvikio/conda_build_config.yaml
index b895b842f3..bacf9b8273 100644
--- a/conda/recipes/libkvikio/conda_build_config.yaml
+++ b/conda/recipes/libkvikio/conda_build_config.yaml
@@ -30,4 +30,4 @@ cuda11_libcufile_run_version:
   - ">=1.0.0.82,<=1.4.0.31"
 
 libcurl_version:
-  - "==7.87.0"
+  - "==8.5.0"
diff --git a/cpp/cmake/thirdparty/get_libcurl.cmake b/cpp/cmake/thirdparty/get_libcurl.cmake
index 6b137bbde2..ab979b0cf1 100644
--- a/cpp/cmake/thirdparty/get_libcurl.cmake
+++ b/cpp/cmake/thirdparty/get_libcurl.cmake
@@ -22,13 +22,13 @@ function(find_and_configure_libcurl)
   endif()
 
   rapids_cpm_find(
-    CURL 7.87.0
+    CURL 8.5.0
     GLOBAL_TARGETS libcurl
     BUILD_EXPORT_SET kvikio-exports
     INSTALL_EXPORT_SET kvikio-exports
     CPM_ARGS
     GIT_REPOSITORY https://github.com/curl/curl
-    GIT_TAG curl-7_87_0
+    GIT_TAG curl-8_5_0
     OPTIONS "BUILD_CURL_EXE OFF" "BUILD_SHARED_LIBS OFF" "BUILD_TESTING OFF" "CURL_USE_LIBPSL OFF"
             "CURL_DISABLE_LDAP ON" "CMAKE_POSITION_INDEPENDENT_CODE ON"
     EXCLUDE_FROM_ALL YES # Don't install libcurl.a (only needed when building libkvikio.so)
diff --git a/dependencies.yaml b/dependencies.yaml
index 5c35e5192c..fdc29df8e0 100644
--- a/dependencies.yaml
+++ b/dependencies.yaml
@@ -114,7 +114,7 @@ dependencies:
         packages:
           - c-compiler
           - cxx-compiler
-          - libcurl>=7.87.0  # Need CURL_WRITEFUNC_ERROR <https://curl.se/libcurl/c/CURLOPT_WRITEFUNCTION.html>
+          - libcurl>=8.5.0,<9.0a0
     specific:
       - output_types: conda
         matrices: