curl: apply upstream security patches

Fixes #70085.

pkgs/tools/networking/curl/cve-2019-5481.diff

@@ -0,0 +1,26 @@
+https://github.com/curl/curl/commit/9069838b3
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    tmp = Curl_saferealloc(buf->data, len);
++    buf->data = Curl_saferealloc(buf->data, len);
+   }
+-  if(tmp == NULL)
++  if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;

pkgs/tools/networking/curl/cve-2019-5482.diff

@@ -0,0 +1,43 @@
+https://github.com/curl/curl/commit/facb0e46624
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -1021,7 +1027,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
++  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =

pkgs/tools/networking/curl/default.nix

@@ -34,6 +34,12 @@ stdenv.mkDerivation rec {
     sha256 = "02g5zj4rq5sr15jzjqk70xk4k92i2pdmpq00xb4pnba8ps1mx18a";
   };
 
+  patches = [
+    # fetchpatch is way to hard due to bootstapping, and fetchurl from github isn't stable
+    ./cve-2019-5481.diff
+    ./cve-2019-5482.diff
+  ];
+
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
   separateDebugInfo = stdenv.isLinux;