todbot / blink1-tool

Command-line tools and C library for blink(1) USB RGB LED
https://blink1.thingm.com/
Other
84 stars 15 forks source link

`make package-all` downloads an insecure version of curl #18

Closed duncan-bayne closed 3 years ago

duncan-bayne commented 5 years ago

See:

https://www.cvedetails.com/vulnerability-list/vendor_id-12682/product_id-25084/version_id-175642/Haxx-Curl-7.37.1.html

For what it's worth, it seems odd that the build process for blink1-tool is downloading and installing curl, especially given that I already have curl and libcurl installed.

todbot commented 5 years ago

yeah it's a real problem on non-Linux OSes (and even some Linux OSes) to depend on libcurl being installed. The current solution is very hacky but works for the very limited case of using blink1control-tool to access http:// URLs for controlling Blink1Control2 app, which currently exposes only http and not https.

todbot commented 3 years ago

blink1control-tool now has latest libcurl and stores it locally.