From b79c26f4f0323580c4d221e4c9b55c6c990a72e3 Mon Sep 17 00:00:00 2001 From: Sharath Srikanth Chellappa Date: Tue, 12 Nov 2024 17:27:59 -0800 Subject: [PATCH 1/8] Patching CVE-2022-43552 and CVE-2023-27536 - v1 --- SPECS/cmake/CVE-2022-43552.patch | 74 ++++++++++++++++++++++++++++++++ SPECS/cmake/CVE-2023-27536.patch | 51 ++++++++++++++++++++++ SPECS/cmake/cmake.spec | 7 ++- 3 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 SPECS/cmake/CVE-2022-43552.patch create mode 100644 SPECS/cmake/CVE-2023-27536.patch diff --git a/SPECS/cmake/CVE-2022-43552.patch b/SPECS/cmake/CVE-2022-43552.patch new file mode 100644 index 00000000000..75fb6b79957 --- /dev/null +++ b/SPECS/cmake/CVE-2022-43552.patch @@ -0,0 +1,74 @@ +From 6967f3bebe94e6878500dea358438e8ac95baf47 Mon Sep 17 00:00:00 2001 +From: Sharath Srikanth Chellappa +Date: Tue, 12 Nov 2024 17:05:45 -0800 +Subject: [PATCH] Patch for CVE-2022-43552 + +Upstream patch: https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2.patch + +--- + Utilities/cmcurl/lib/smb.c | 14 ++------------ + Utilities/cmcurl/lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/Utilities/cmcurl/lib/smb.c b/Utilities/cmcurl/lib/smb.c +index 39facb267d..eb4ef15be0 100644 +--- a/Utilities/cmcurl/lib/smb.c ++++ b/Utilities/cmcurl/lib/smb.c +@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -940,14 +938,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/Utilities/cmcurl/lib/telnet.c b/Utilities/cmcurl/lib/telnet.c +index fdd137fb0c..96c89096e5 100644 +--- a/Utilities/cmcurl/lib/telnet.c ++++ b/Utilities/cmcurl/lib/telnet.c +@@ -1243,9 +1243,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.45.2 diff --git a/SPECS/cmake/CVE-2023-27536.patch b/SPECS/cmake/CVE-2023-27536.patch new file mode 100644 index 00000000000..e1269413e8f --- /dev/null +++ b/SPECS/cmake/CVE-2023-27536.patch @@ -0,0 +1,51 @@ +From f7da0416e4b6374fd336fdcf3b708a493a492969 Mon Sep 17 00:00:00 2001 +From: Sharath Srikanth Chellappa +Date: Tue, 12 Nov 2024 17:19:13 -0800 +Subject: [PATCH] Patch for CVE-2023-27536 + +Upstream patch: https://github.com/curl/curl/commit/cb49e67303dba.patch + +--- + Utilities/cmcurl/lib/url.c | 6 ++++++ + Utilities/cmcurl/lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c +index 1ee38af0d5..4ab389af48 100644 +--- a/Utilities/cmcurl/lib/url.c ++++ b/Utilities/cmcurl/lib/url.c +@@ -1322,6 +1322,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + /* If multiplexing isn't enabled on the h2 connection and h1 is + explicitly requested, handle it: */ + if((needle->handler->protocol & PROTO_FAMILY_HTTP) && +@@ -1766,6 +1771,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h +index fb905c36c5..365b6821b1 100644 +--- a/Utilities/cmcurl/lib/urldata.h ++++ b/Utilities/cmcurl/lib/urldata.h +@@ -1120,6 +1120,7 @@ struct connectdata { + int socks5_gssapi_enctype; + #endif + unsigned short localport; ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ +-- +2.45.2 + diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index 5a4cf0f5655..58c1ecc0ee9 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -2,7 +2,7 @@ Summary: Cmake Name: cmake Version: 3.21.4 -Release: 12%{?dist} +Release: 13%{?dist} License: BSD AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -23,6 +23,8 @@ Patch8: cve-2023-44487.patch Patch9: CVE-2023-28320.patch Patch10: CVE-2023-27533.patch Patch11: CVE-2023-27534.patch +Patch12: CVE-2022-43552.patch +Patch13: CVE-2023-27536.patch BuildRequires: bzip2 BuildRequires: bzip2-devel BuildRequires: curl @@ -88,6 +90,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %{_prefix}/doc/%{name}-*/* %changelog +* Wed Nov 12 2024 Sharath Srikanth Chellappa - 3.21.4-13 +- Patch CVE-2022-43552 and CVE-2023-27536 + * Wed Sep 18 2024 Suresh Thelkar - 3.21.4-12 - Patch CVE-2023-27533 and CVE-2023-27534 From 29967047e9684d4854ebda955867ef277c383856 Mon Sep 17 00:00:00 2001 From: Sharath Srikanth Chellappa Date: Wed, 13 Nov 2024 12:47:10 -0800 Subject: [PATCH 2/8] Updating toolkit - v1 --- toolkit/resources/manifests/package/toolchain_aarch64.txt | 4 ++-- toolkit/resources/manifests/package/toolchain_x86_64.txt | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index e5b34f4c8de..25e2e49564e 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm chkconfig-1.20-4.cm2.aarch64.rpm chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm chkconfig-lang-1.20-4.cm2.aarch64.rpm -cmake-3.21.4-12.cm2.aarch64.rpm -cmake-debuginfo-3.21.4-12.cm2.aarch64.rpm +cmake-3.21.4-13.cm2.aarch64.rpm +cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm coreutils-8.32-7.cm2.aarch64.rpm coreutils-debuginfo-8.32-7.cm2.aarch64.rpm coreutils-lang-8.32-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index f11542a2166..4d57a7db1ab 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm chkconfig-1.20-4.cm2.x86_64.rpm chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm chkconfig-lang-1.20-4.cm2.x86_64.rpm -cmake-3.21.4-12.cm2.x86_64.rpm -cmake-debuginfo-3.21.4-12.cm2.x86_64.rpm +cmake-3.21.4-13.cm2.x86_64.rpm +cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm coreutils-8.32-7.cm2.x86_64.rpm coreutils-debuginfo-8.32-7.cm2.x86_64.rpm coreutils-lang-8.32-7.cm2.x86_64.rpm From 2ec88d1c978e17e48e61b13ef885aa36f78b3384 Mon Sep 17 00:00:00 2001 From: Sharath Srikanth Chellappa Date: Wed, 13 Nov 2024 14:31:49 -0800 Subject: [PATCH 3/8] Patch for CVE-2023-27538 and CVE-2023-27535 - v1 --- SPECS/cmake/cmake.spec | 9 +++++++-- .../resources/manifests/package/toolchain_aarch64.txt | 4 ++-- toolkit/resources/manifests/package/toolchain_x86_64.txt | 4 ++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index 58c1ecc0ee9..73dec9c010f 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -2,7 +2,7 @@ Summary: Cmake Name: cmake Version: 3.21.4 -Release: 13%{?dist} +Release: 14%{?dist} License: BSD AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -25,6 +25,8 @@ Patch10: CVE-2023-27533.patch Patch11: CVE-2023-27534.patch Patch12: CVE-2022-43552.patch Patch13: CVE-2023-27536.patch +Patch14: CVE-2023-27538.patch +Patch15: CVE-2023-27535.patch BuildRequires: bzip2 BuildRequires: bzip2-devel BuildRequires: curl @@ -90,7 +92,10 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %{_prefix}/doc/%{name}-*/* %changelog -* Wed Nov 12 2024 Sharath Srikanth Chellappa - 3.21.4-13 +* Wed Nov 13 2024 Sharath Srikanth Chellappa - 3.21.4-14 +- Patch CVE-2023-27535 and CVE-2023-27538 + +* Tue Nov 12 2024 Sharath Srikanth Chellappa - 3.21.4-13 - Patch CVE-2022-43552 and CVE-2023-27536 * Wed Sep 18 2024 Suresh Thelkar - 3.21.4-12 diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 25e2e49564e..6bfc9435b4c 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm chkconfig-1.20-4.cm2.aarch64.rpm chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm chkconfig-lang-1.20-4.cm2.aarch64.rpm -cmake-3.21.4-13.cm2.aarch64.rpm -cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm +cmake-3.21.4-14.cm2.aarch64.rpm +cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm coreutils-8.32-7.cm2.aarch64.rpm coreutils-debuginfo-8.32-7.cm2.aarch64.rpm coreutils-lang-8.32-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 4d57a7db1ab..ecc608e90eb 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm chkconfig-1.20-4.cm2.x86_64.rpm chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm chkconfig-lang-1.20-4.cm2.x86_64.rpm -cmake-3.21.4-13.cm2.x86_64.rpm -cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm +cmake-3.21.4-14.cm2.x86_64.rpm +cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm coreutils-8.32-7.cm2.x86_64.rpm coreutils-debuginfo-8.32-7.cm2.x86_64.rpm coreutils-lang-8.32-7.cm2.x86_64.rpm From e074bb00ba87b1a864c52cff5fc0fc47c76f5515 Mon Sep 17 00:00:00 2001 From: Sharath Srikanth Chellappa Date: Wed, 13 Nov 2024 15:05:28 -0800 Subject: [PATCH 4/8] Patch for CVE-2023-27538 and CVE-2023-27535 - v2 --- SPECS/cmake/CVE-2023-27535.patch | 170 +++++++++++++++++++++++++++++++ SPECS/cmake/CVE-2023-27538.patch | 29 ++++++ 2 files changed, 199 insertions(+) create mode 100644 SPECS/cmake/CVE-2023-27535.patch create mode 100644 SPECS/cmake/CVE-2023-27538.patch diff --git a/SPECS/cmake/CVE-2023-27535.patch b/SPECS/cmake/CVE-2023-27535.patch new file mode 100644 index 00000000000..366dcc3e29d --- /dev/null +++ b/SPECS/cmake/CVE-2023-27535.patch @@ -0,0 +1,170 @@ +From f1c9ae1e195f93a5d46434b067d17a60867d0f6a Mon Sep 17 00:00:00 2001 +From: Sharath Srikanth Chellappa +Date: Wed, 13 Nov 2024 14:18:44 -0800 +Subject: [PATCH] Patch for CVE-2023-27535 + +Upstream patch: https://github.com/curl/curl/commit/8f4608468b890dc + +--- + Utilities/cmcurl/lib/ftp.c | 30 ++++++++++++++++++++++++++++-- + Utilities/cmcurl/lib/ftp.h | 5 +++++ + Utilities/cmcurl/lib/setopt.c | 1 + + Utilities/cmcurl/lib/url.c | 16 +++++++++++++++- + Utilities/cmcurl/lib/urldata.h | 4 ++-- + 5 files changed, 51 insertions(+), 5 deletions(-) + +diff --git a/Utilities/cmcurl/lib/ftp.c b/Utilities/cmcurl/lib/ftp.c +index 425b0afec6..5839296ec2 100644 +--- a/Utilities/cmcurl/lib/ftp.c ++++ b/Utilities/cmcurl/lib/ftp.c +@@ -4084,6 +4084,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, + } + + freedirs(ftpc); ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); + Curl_safefree(ftpc->prevpath); + Curl_safefree(ftpc->server_os); + Curl_pp_disconnect(pp); +@@ -4108,6 +4110,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) + const char *slashPos = NULL; + const char *fileName = NULL; + CURLcode result = CURLE_OK; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + char *rawPath = NULL; /* url-decoded "raw" path */ + size_t pathLen = 0; + +@@ -4344,11 +4347,32 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + { + char *type; + struct FTP *ftp; ++ CURLcode result = CURLE_OK; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(NULL == ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ data->req.p.ftp = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=" that +@@ -4383,7 +4407,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + /* get some initial data into the ftp struct */ + ftp->transfer = PPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/Utilities/cmcurl/lib/ftp.h b/Utilities/cmcurl/lib/ftp.h +index 1cfdac0851..afca25b469 100644 +--- a/Utilities/cmcurl/lib/ftp.h ++++ b/Utilities/cmcurl/lib/ftp.h +@@ -115,6 +115,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char *file; /* url-decoded file name (or path) */ + char **dirs; /* realloc()ed array for path components */ +@@ -144,6 +146,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/Utilities/cmcurl/lib/setopt.c b/Utilities/cmcurl/lib/setopt.c +index fb8b86d474..10c6872bb3 100644 +--- a/Utilities/cmcurl/lib/setopt.c ++++ b/Utilities/cmcurl/lib/setopt.c +@@ -2307,6 +2307,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c +index ca40322504..e00c56300b 100644 +--- a/Utilities/cmcurl/lib/url.c ++++ b/Utilities/cmcurl/lib/url.c +@@ -1334,10 +1334,24 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + +- if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY +diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h +index 365b6821b1..ef3a58e55a 100644 +--- a/Utilities/cmcurl/lib/urldata.h ++++ b/Utilities/cmcurl/lib/urldata.h +@@ -1729,8 +1729,6 @@ struct UserDefined { + void *ssh_keyfunc_userp; /* custom pointer to callback */ + enum CURL_NETRC_OPTION + use_netrc; /* defined in include/curl.h */ +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + long new_file_perms; /* Permissions to use when creating remote files */ + long new_directory_perms; /* Permissions to use when creating remote dirs */ + long ssh_auth_types; /* allowed SSH auth types */ +@@ -1773,6 +1771,8 @@ struct UserDefined { + CURLU *uh; /* URL handle for the current parsed URL */ + void *trailer_data; /* pointer to pass to trailer data callback */ + curl_trailer_callback trailer_callback; /* trailing data callback */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + BIT(is_fread_set); /* has read callback been set to non-NULL? */ + BIT(is_fwrite_set); /* has write callback been set to non-NULL? */ + BIT(free_referer); /* set TRUE if 'referer' points to a string we +-- +2.45.2 diff --git a/SPECS/cmake/CVE-2023-27538.patch b/SPECS/cmake/CVE-2023-27538.patch new file mode 100644 index 00000000000..264a0016768 --- /dev/null +++ b/SPECS/cmake/CVE-2023-27538.patch @@ -0,0 +1,29 @@ +From 89e90fece52aa6abbf96ac84477ea82d9c12a6ef Mon Sep 17 00:00:00 2001 +From: Sharath Srikanth Chellappa +Date: Wed, 13 Nov 2024 13:29:57 -0800 +Subject: [PATCH] Patch for CVE-2023-27538 + +Upstream Patch: https://github.com/curl/curl/commit/af369db4d3833272b8ed + +--- + Utilities/cmcurl/lib/url.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c +index 4ab389af48..ca40322504 100644 +--- a/Utilities/cmcurl/lib/url.c ++++ b/Utilities/cmcurl/lib/url.c +@@ -1334,6 +1334,11 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + ++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +-- +2.45.2 From 5d2528b05c2a3f8965c129e4af950a756bf89ced Mon Sep 17 00:00:00 2001 From: Sharath Srikanth Chellappa Date: Thu, 14 Nov 2024 15:01:46 -0800 Subject: [PATCH 5/8] Patch for CVE-2023-27538 and CVE-2023-27535 - v3 --- SPECS/cmake/CVE-2023-27535.patch | 82 ++++++++++++++----- SPECS/cmake/cmake.spec | 9 +- .../manifests/package/toolchain_aarch64.txt | 4 +- .../manifests/package/toolchain_x86_64.txt | 4 +- 4 files changed, 67 insertions(+), 32 deletions(-) diff --git a/SPECS/cmake/CVE-2023-27535.patch b/SPECS/cmake/CVE-2023-27535.patch index 366dcc3e29d..7eecffd64af 100644 --- a/SPECS/cmake/CVE-2023-27535.patch +++ b/SPECS/cmake/CVE-2023-27535.patch @@ -6,46 +6,40 @@ Subject: [PATCH] Patch for CVE-2023-27535 Upstream patch: https://github.com/curl/curl/commit/8f4608468b890dc --- - Utilities/cmcurl/lib/ftp.c | 30 ++++++++++++++++++++++++++++-- + Utilities/cmcurl/lib/ftp.c | 29 +++++++++++++++++++++++++++-- Utilities/cmcurl/lib/ftp.h | 5 +++++ Utilities/cmcurl/lib/setopt.c | 1 + + Utilities/cmcurl/lib/strcase.c | 22 ++++++++++++++++++++++ + Utilities/cmcurl/lib/strcase.h | 2 ++ Utilities/cmcurl/lib/url.c | 16 +++++++++++++++- Utilities/cmcurl/lib/urldata.h | 4 ++-- - 5 files changed, 51 insertions(+), 5 deletions(-) + 7 files changed, 74 insertions(+), 5 deletions(-) diff --git a/Utilities/cmcurl/lib/ftp.c b/Utilities/cmcurl/lib/ftp.c -index 425b0afec6..5839296ec2 100644 +index 425b0afec6..776a65f956 100644 --- a/Utilities/cmcurl/lib/ftp.c +++ b/Utilities/cmcurl/lib/ftp.c @@ -4084,6 +4084,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, } - + freedirs(ftpc); + Curl_safefree(ftpc->account); + Curl_safefree(ftpc->alternative_to_user); Curl_safefree(ftpc->prevpath); Curl_safefree(ftpc->server_os); Curl_pp_disconnect(pp); -@@ -4108,6 +4110,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) - const char *slashPos = NULL; - const char *fileName = NULL; - CURLcode result = CURLE_OK; -+ struct ftp_conn *ftpc = &conn->proto.ftpc; - char *rawPath = NULL; /* url-decoded "raw" path */ - size_t pathLen = 0; - -@@ -4344,11 +4347,32 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, +@@ -4344,11 +4346,32 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, { char *type; struct FTP *ftp; + CURLcode result = CURLE_OK; + struct ftp_conn *ftpc = &conn->proto.ftpc; - + - data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); + ftp = calloc(sizeof(struct FTP), 1); if(NULL == ftp) return CURLE_OUT_OF_MEMORY; - + + /* clone connection related data that is FTP specific */ + if(data->set.str[STRING_FTP_ACCOUNT]) { + ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); @@ -66,9 +60,9 @@ index 425b0afec6..5839296ec2 100644 + data->req.p.ftp = ftp; + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ - + /* FTP URLs support an extension like ";type=" that -@@ -4383,7 +4407,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, +@@ -4383,7 +4406,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, /* get some initial data into the ftp struct */ ftp->transfer = PPTRANSFER_BODY; ftp->downloadsize = 0; @@ -76,7 +70,7 @@ index 425b0afec6..5839296ec2 100644 + ftpc->known_filesize = -1; /* unknown size for now */ + ftpc->use_ssl = data->set.use_ssl; + ftpc->ccc = data->set.ftp_ccc; - + return CURLE_OK; } diff --git a/Utilities/cmcurl/lib/ftp.h b/Utilities/cmcurl/lib/ftp.h @@ -112,8 +106,52 @@ index fb8b86d474..10c6872bb3 100644 data->set.use_ssl = (curl_usessl)arg; + data->set.use_ssl = (unsigned char)arg; break; - + case CURLOPT_SSL_OPTIONS: +diff --git a/Utilities/cmcurl/lib/strcase.c b/Utilities/cmcurl/lib/strcase.c +index 955e3c79ea..29cc539cdf 100644 +--- a/Utilities/cmcurl/lib/strcase.c ++++ b/Utilities/cmcurl/lib/strcase.c +@@ -251,6 +251,28 @@ void Curl_strntolower(char *dest, const char *src, size_t n) + } while(*src++ && --n); + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/Utilities/cmcurl/lib/strcase.h b/Utilities/cmcurl/lib/strcase.h +index 10dc698817..6fdb32ed08 100644 +--- a/Utilities/cmcurl/lib/strcase.h ++++ b/Utilities/cmcurl/lib/strcase.h +@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++int Curl_timestrcmp(const char *first, const char *second); ++ + #endif /* HEADER_CURL_STRCASE_H */ diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c index ca40322504..e00c56300b 100644 --- a/Utilities/cmcurl/lib/url.c @@ -121,7 +159,7 @@ index ca40322504..e00c56300b 100644 @@ -1334,10 +1334,24 @@ ConnectionExists(struct Curl_easy *data, (data->state.httpwant < CURL_HTTP_VERSION_2_0)) continue; - + - if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { +#ifdef USE_SSH + else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { @@ -141,7 +179,7 @@ index ca40322504..e00c56300b 100644 + continue; + } +#endif - + if((needle->handler->flags&PROTOPT_SSL) #ifndef CURL_DISABLE_PROXY diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h @@ -166,5 +204,5 @@ index 365b6821b1..ef3a58e55a 100644 BIT(is_fread_set); /* has read callback been set to non-NULL? */ BIT(is_fwrite_set); /* has write callback been set to non-NULL? */ BIT(free_referer); /* set TRUE if 'referer' points to a string we --- +-- 2.45.2 diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index 73dec9c010f..fbf063d37e7 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -2,7 +2,7 @@ Summary: Cmake Name: cmake Version: 3.21.4 -Release: 14%{?dist} +Release: 13%{?dist} License: BSD AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -92,11 +92,8 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %{_prefix}/doc/%{name}-*/* %changelog -* Wed Nov 13 2024 Sharath Srikanth Chellappa - 3.21.4-14 -- Patch CVE-2023-27535 and CVE-2023-27538 - -* Tue Nov 12 2024 Sharath Srikanth Chellappa - 3.21.4-13 -- Patch CVE-2022-43552 and CVE-2023-27536 +* Thu Nov 14 2024 Sharath Srikanth Chellappa - 3.21.4-13 +- Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535 and CVE-2023-27538 * Wed Sep 18 2024 Suresh Thelkar - 3.21.4-12 - Patch CVE-2023-27533 and CVE-2023-27534 diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 6bfc9435b4c..25e2e49564e 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm chkconfig-1.20-4.cm2.aarch64.rpm chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm chkconfig-lang-1.20-4.cm2.aarch64.rpm -cmake-3.21.4-14.cm2.aarch64.rpm -cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm +cmake-3.21.4-13.cm2.aarch64.rpm +cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm coreutils-8.32-7.cm2.aarch64.rpm coreutils-debuginfo-8.32-7.cm2.aarch64.rpm coreutils-lang-8.32-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index ecc608e90eb..4d57a7db1ab 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm chkconfig-1.20-4.cm2.x86_64.rpm chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm chkconfig-lang-1.20-4.cm2.x86_64.rpm -cmake-3.21.4-14.cm2.x86_64.rpm -cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm +cmake-3.21.4-13.cm2.x86_64.rpm +cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm coreutils-8.32-7.cm2.x86_64.rpm coreutils-debuginfo-8.32-7.cm2.x86_64.rpm coreutils-lang-8.32-7.cm2.x86_64.rpm From 8929bb1aaa25fc35254bd274e1d49aba5cfa2a65 Mon Sep 17 00:00:00 2001 From: Sharath Srikanth Chellappa Date: Thu, 14 Nov 2024 15:50:51 -0800 Subject: [PATCH 6/8] Patch for CVE-2023-46218 and CVE-2023-23916 - v1 --- SPECS/cmake/CVE-2023-23916.patch | 42 +++++++++++++++++++++++++++ SPECS/cmake/CVE-2023-46218.patch | 49 ++++++++++++++++++++++++++++++++ SPECS/cmake/cmake.spec | 3 +- 3 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 SPECS/cmake/CVE-2023-23916.patch create mode 100644 SPECS/cmake/CVE-2023-46218.patch diff --git a/SPECS/cmake/CVE-2023-23916.patch b/SPECS/cmake/CVE-2023-23916.patch new file mode 100644 index 00000000000..e803962a1ee --- /dev/null +++ b/SPECS/cmake/CVE-2023-23916.patch @@ -0,0 +1,42 @@ +From bd3423bcd2c427ee591b9c8772206af7574a3e80 Mon Sep 17 00:00:00 2001 +From: Sharath Srikanth Chellappa +Date: Thu, 14 Nov 2024 15:45:07 -0800 +Subject: [PATCH] Patch for CVE-2023-23916 + +Upstream patch: https://github.com/curl/curl/commit/119fb187192a9ea13dc + +--- + Utilities/cmcurl/lib/content_encoding.c | 5 +++++ + Utilities/cmcurl/lib/urldata.h | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/Utilities/cmcurl/lib/content_encoding.c b/Utilities/cmcurl/lib/content_encoding.c +index a84ff543b9..c3136a456e 100644 +--- a/Utilities/cmcurl/lib/content_encoding.c ++++ b/Utilities/cmcurl/lib/content_encoding.c +@@ -1065,6 +1065,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) +diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h +index ef3a58e55a..3505962f45 100644 +--- a/Utilities/cmcurl/lib/urldata.h ++++ b/Utilities/cmcurl/lib/urldata.h +@@ -702,6 +702,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +-- +2.45.2 diff --git a/SPECS/cmake/CVE-2023-46218.patch b/SPECS/cmake/CVE-2023-46218.patch new file mode 100644 index 00000000000..411b3d6311f --- /dev/null +++ b/SPECS/cmake/CVE-2023-46218.patch @@ -0,0 +1,49 @@ +From 7651fc4121d5caa4a9a0ffd22b10a41ae4c09403 Mon Sep 17 00:00:00 2001 +From: Sharath Srikanth Chellappa +Date: Thu, 14 Nov 2024 13:07:43 -0800 +Subject: [PATCH] Patch for CVE-2023-46218 + +Upstream patch: https://github.com/curl/curl/commit/2b0994c29a721c91c57 + +--- + Utilities/cmcurl/lib/cookie.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/Utilities/cmcurl/lib/cookie.c b/Utilities/cmcurl/lib/cookie.c +index 941623f9d2..55cf7749b2 100644 +--- a/Utilities/cmcurl/lib/cookie.c ++++ b/Utilities/cmcurl/lib/cookie.c +@@ -997,15 +997,23 @@ Curl_cookie_add(struct Curl_easy *data, + * dereference it. + */ + if(data && (domain && co->domain && !isip(co->domain))) { +- const psl_ctx_t *psl = Curl_psl_use(data); +- int acceptable; +- +- if(psl) { +- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); +- Curl_psl_release(data); ++ bool acceptable = FALSE; ++ char lcase[256]; ++ char lcookie[256]; ++ size_t dlen = strlen(domain); ++ size_t clen = strlen(co->domain); ++ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { ++ const psl_ctx_t *psl = Curl_psl_use(data); ++ if(psl) { ++ /* the PSL check requires lowercase domain name and pattern */ ++ Curl_strntolower(lcase, domain, dlen + 1); ++ Curl_strntolower(lcookie, co->domain, clen + 1); ++ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); ++ Curl_psl_release(data); ++ } ++ else ++ acceptable = !bad_domain(domain, strlen(domain)); + } +- else +- acceptable = !bad_domain(domain); + + if(!acceptable) { + infof(data, "cookie '%s' dropped, domain '%s' must not " +-- +2.45.2 diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index fbf063d37e7..fdee4d3c632 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -27,6 +27,7 @@ Patch12: CVE-2022-43552.patch Patch13: CVE-2023-27536.patch Patch14: CVE-2023-27538.patch Patch15: CVE-2023-27535.patch +Patch16: CVE-2023-23916.patch BuildRequires: bzip2 BuildRequires: bzip2-devel BuildRequires: curl @@ -93,7 +94,7 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %changelog * Thu Nov 14 2024 Sharath Srikanth Chellappa - 3.21.4-13 -- Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535 and CVE-2023-27538 +- Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218. * Wed Sep 18 2024 Suresh Thelkar - 3.21.4-12 - Patch CVE-2023-27533 and CVE-2023-27534 From 584a6f759a49d6463a6a9fac1e83bc8a317acc55 Mon Sep 17 00:00:00 2001 From: Sharath Srikanth Chellappa Date: Thu, 14 Nov 2024 16:17:03 -0800 Subject: [PATCH 7/8] Patch for CVE-2023-46218 and CVE-2023-23916 - v2 --- SPECS/cmake/CVE-2023-23916.patch | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/SPECS/cmake/CVE-2023-23916.patch b/SPECS/cmake/CVE-2023-23916.patch index e803962a1ee..5b09251799d 100644 --- a/SPECS/cmake/CVE-2023-23916.patch +++ b/SPECS/cmake/CVE-2023-23916.patch @@ -6,15 +6,25 @@ Subject: [PATCH] Patch for CVE-2023-23916 Upstream patch: https://github.com/curl/curl/commit/119fb187192a9ea13dc --- - Utilities/cmcurl/lib/content_encoding.c | 5 +++++ + Utilities/cmcurl/lib/content_encoding.c | 8 ++++++++ Utilities/cmcurl/lib/urldata.h | 1 + - 2 files changed, 6 insertions(+) + 2 files changed, 9 insertions(+) diff --git a/Utilities/cmcurl/lib/content_encoding.c b/Utilities/cmcurl/lib/content_encoding.c -index a84ff543b9..c3136a456e 100644 +index a84ff543b9..c870df2dd4 100644 --- a/Utilities/cmcurl/lib/content_encoding.c +++ b/Utilities/cmcurl/lib/content_encoding.c -@@ -1065,6 +1065,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, +@@ -1025,6 +1025,9 @@ static const struct content_encoding *find_encoding(const char *name, + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, +@@ -1065,6 +1068,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, if(!encoding) encoding = &error_encoding; /* Defer error at stack use. */ From f3a20c1fd9c033319160da36f08ed24f1ec34fa4 Mon Sep 17 00:00:00 2001 From: Sharath Srikanth Chellappa Date: Thu, 14 Nov 2024 16:56:12 -0800 Subject: [PATCH 8/8] Patch for CVE-2023-46218 and CVE-2023-23915 - v1 --- SPECS/cmake/CVE-2023-23915.patch | 328 +++++++++++++++++++++++++++++++ SPECS/cmake/cmake.spec | 4 +- 2 files changed, 331 insertions(+), 1 deletion(-) create mode 100644 SPECS/cmake/CVE-2023-23915.patch diff --git a/SPECS/cmake/CVE-2023-23915.patch b/SPECS/cmake/CVE-2023-23915.patch new file mode 100644 index 00000000000..df7ef0f8791 --- /dev/null +++ b/SPECS/cmake/CVE-2023-23915.patch @@ -0,0 +1,328 @@ +From 77bfeeb6c5097bee1f6c7ef587339234e777715b Mon Sep 17 00:00:00 2001 +From: Sharath Srikanth Chellappa +Date: Thu, 14 Nov 2024 16:51:39 -0800 +Subject: [PATCH] Patch for CVE-2023-23915 + +Upstream patches: +https://github.com/curl/curl/commit/ca02a77f05bd5cef20618c8f741aa48b7be0a648 +https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a + +Patches that are not applicable: +https://github.com/curl/curl/commit/0bf8b796a0ea98395b390c7807187982215f5c11 +https://github.com/curl/curl/commit/dc0725244a3163f1e2d5f51165db3a1a430f3ba0 +https://github.com/curl/curl/commit/ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 + +--- + Utilities/cmcurl/include/curl/curl.h | 1 + + Utilities/cmcurl/lib/hsts.c | 28 ++++++++++++++-- + Utilities/cmcurl/lib/hsts.h | 2 ++ + Utilities/cmcurl/lib/setopt.c | 48 ++++++++++++++++++++++++---- + Utilities/cmcurl/lib/share.c | 32 +++++++++++++++++-- + Utilities/cmcurl/lib/share.h | 6 +++- + Utilities/cmcurl/lib/transfer.c | 3 ++ + Utilities/cmcurl/lib/url.c | 6 +++- + Utilities/cmcurl/lib/urldata.h | 2 ++ + 9 files changed, 115 insertions(+), 13 deletions(-) + +diff --git a/Utilities/cmcurl/include/curl/curl.h b/Utilities/cmcurl/include/curl/curl.h +index 55a6a39c1c..864309fb80 100644 +--- a/Utilities/cmcurl/include/curl/curl.h ++++ b/Utilities/cmcurl/include/curl/curl.h +@@ -2820,6 +2820,7 @@ typedef enum { + CURL_LOCK_DATA_SSL_SESSION, + CURL_LOCK_DATA_CONNECT, + CURL_LOCK_DATA_PSL, ++ CURL_LOCK_DATA_HSTS, + CURL_LOCK_DATA_LAST + } curl_lock_data; + +diff --git a/Utilities/cmcurl/lib/hsts.c b/Utilities/cmcurl/lib/hsts.c +index ef166f196c..97a07ec484 100644 +--- a/Utilities/cmcurl/lib/hsts.c ++++ b/Utilities/cmcurl/lib/hsts.c +@@ -37,6 +37,7 @@ + #include "parsedate.h" + #include "rand.h" + #include "rename.h" ++#include "share.h" + #include "strtoofft.h" + + /* The last 3 #include files should be in this order */ +@@ -399,14 +400,23 @@ static CURLcode hsts_add(struct hsts *h, char *line) + host, date); + if(2 == rc) { + time_t expires = Curl_getdate_capped(date); +- CURLcode result; ++ CURLcode result = CURLE_OK; + char *p = host; + bool subdomain = FALSE; ++ struct stsentry *e; + if(p[0] == '.') { + p++; + subdomain = TRUE; + } +- result = hsts_create(h, p, subdomain, expires); ++ /* only add it if not already present */ ++ e = Curl_hsts(h, p, subdomain); ++ if(!e) ++ result = hsts_create(h, p, subdomain, expires); ++ else { ++ /* the same host name, use the largest expire time */ ++ if(expires > e->expires) ++ e->expires = expires; ++ } + if(result) + return result; + } +@@ -524,4 +534,18 @@ CURLcode Curl_hsts_loadcb(struct Curl_easy *data, struct hsts *h) + return hsts_pull(data, h); + } + ++void Curl_hsts_loadfiles(struct Curl_easy *data) ++{ ++ struct curl_slist *l = data->set.hstslist; ++ if(l) { ++ Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE); ++ ++ while(l) { ++ (void)Curl_hsts_loadfile(data, data->hsts, l->data); ++ l = l->next; ++ } ++ Curl_share_unlock(data, CURL_LOCK_DATA_HSTS); ++ } ++} ++ + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ +diff --git a/Utilities/cmcurl/lib/hsts.h b/Utilities/cmcurl/lib/hsts.h +index baa582864a..3c9d2dad13 100644 +--- a/Utilities/cmcurl/lib/hsts.h ++++ b/Utilities/cmcurl/lib/hsts.h +@@ -57,9 +57,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_easy *data, + struct hsts *h, const char *file); + CURLcode Curl_hsts_loadcb(struct Curl_easy *data, + struct hsts *h); ++void Curl_hsts_loadfiles(struct Curl_easy *data); + #else + #define Curl_hsts_cleanup(x) + #define Curl_hsts_loadcb(x,y) + #define Curl_hsts_save(x,y,z) ++#define Curl_hsts_loadfiles(x) + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ + #endif /* HEADER_CURL_HSTS_H */ +diff --git a/Utilities/cmcurl/lib/setopt.c b/Utilities/cmcurl/lib/setopt.c +index 10c6872bb3..dcc1322a7b 100644 +--- a/Utilities/cmcurl/lib/setopt.c ++++ b/Utilities/cmcurl/lib/setopt.c +@@ -2229,9 +2229,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + data->cookies = NULL; + #endif + ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts == data->hsts) ++ data->hsts = NULL; ++#endif ++#ifdef USE_SSL + if(data->share->sslsession == data->state.session) + data->state.session = NULL; +- ++#endif + #ifdef USE_LIBPSL + if(data->psl == &data->share->psl) + data->psl = data->multi? &data->multi->psl: NULL; +@@ -2265,10 +2270,19 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + data->cookies = data->share->cookies; + } + #endif /* CURL_DISABLE_HTTP */ ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts) { ++ /* first free the private one if any */ ++ Curl_hsts_cleanup(&data->hsts); ++ data->hsts = data->share->hsts; ++ } ++#endif /* CURL_DISABLE_HTTP */ ++#ifdef USE_SSL + if(data->share->sslsession) { + data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions; + data->state.session = data->share->sslsession; + } ++#endif + #ifdef USE_LIBPSL + if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL)) + data->psl = &data->share->psl; +@@ -2953,19 +2967,39 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_HSTSWRITEDATA: + data->set.hsts_write_userp = va_arg(param, void *); + break; +- case CURLOPT_HSTS: ++ case CURLOPT_HSTS: { ++ struct curl_slist *h; + if(!data->hsts) { + data->hsts = Curl_hsts_init(); + if(!data->hsts) + return CURLE_OUT_OF_MEMORY; + } + argptr = va_arg(param, char *); +- result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); +- if(result) +- return result; +- if(argptr) +- (void)Curl_hsts_loadfile(data, data->hsts, argptr); ++ if(argptr) { ++ result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); ++ if(result) ++ return result; ++ /* this needs to build a list of file names to read from, so that it can ++ read them later, as we might get a shared HSTS handle to load them ++ into */ ++ h = curl_slist_append(data->set.hstslist, argptr); ++ if(!h) { ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ return CURLE_OUT_OF_MEMORY; ++ } ++ data->set.hstslist = h; /* store the list for later use */ ++ } ++ else { ++ /* clear the list of HSTS files */ ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ if(!data->share || !data->share->hsts) ++ /* throw away the HSTS cache unless shared */ ++ Curl_hsts_cleanup(&data->hsts); ++ } + break; ++ } + case CURLOPT_HSTS_CTRL: + arg = va_arg(param, long); + if(arg & CURLHSTS_ENABLE) { +diff --git a/Utilities/cmcurl/lib/share.c b/Utilities/cmcurl/lib/share.c +index 9c43c8f705..8681ac2c2e 100644 +--- a/Utilities/cmcurl/lib/share.c ++++ b/Utilities/cmcurl/lib/share.c +@@ -27,9 +27,11 @@ + #include "share.h" + #include "psl.h" + #include "vtls/vtls.h" +-#include "curl_memory.h" ++#include "hsts.h" + +-/* The last #include file should be: */ ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" + #include "memdebug.h" + + struct Curl_share * +@@ -91,6 +93,18 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(!share->hsts) { ++ share->hsts = Curl_hsts_init(); ++ if(!share->hsts) ++ res = CURLSHE_NOMEM; ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + if(!share->sslsession) { +@@ -143,6 +157,16 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(share->hsts) { ++ Curl_hsts_cleanup(&share->hsts); ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + Curl_safefree(share->sslsession); +@@ -209,6 +233,10 @@ curl_share_cleanup(struct Curl_share *share) + Curl_cookie_cleanup(share->cookies); + #endif + ++#ifndef CURL_DISABLE_HSTS ++ Curl_hsts_cleanup(&share->hsts); ++#endif ++ + #ifdef USE_SSL + if(share->sslsession) { + size_t i; +diff --git a/Utilities/cmcurl/lib/share.h b/Utilities/cmcurl/lib/share.h +index 222e34ba6e..97b820b0f9 100644 +--- a/Utilities/cmcurl/lib/share.h ++++ b/Utilities/cmcurl/lib/share.h +@@ -57,10 +57,14 @@ struct Curl_share { + #ifdef USE_LIBPSL + struct PslCache psl; + #endif +- ++#ifndef CURL_DISABLE_HSTS ++ struct hsts *hsts; ++#endif ++#ifdef USE_SSL + struct Curl_ssl_session *sslsession; + size_t max_ssl_sessions; + long sessionage; ++#endif + }; + + CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data, +diff --git a/Utilities/cmcurl/lib/transfer.c b/Utilities/cmcurl/lib/transfer.c +index bca4e548fa..b07fe88285 100644 +--- a/Utilities/cmcurl/lib/transfer.c ++++ b/Utilities/cmcurl/lib/transfer.c +@@ -1461,6 +1461,9 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) + if(data->state.resolve) + result = Curl_loadhostpairs(data); + ++ /* If there is a list of hsts files to read */ ++ Curl_hsts_loadfiles(data); ++ + if(!result) { + /* Allow data->set.use_port to set which port to use. This needs to be + * disabled for example when we follow Location: headers to URLs using +diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c +index e00c56300b..da1ff4652c 100644 +--- a/Utilities/cmcurl/lib/url.c ++++ b/Utilities/cmcurl/lib/url.c +@@ -420,7 +420,11 @@ CURLcode Curl_close(struct Curl_easy **datap) + Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]); + Curl_altsvc_cleanup(&data->asi); + Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]); +- Curl_hsts_cleanup(&data->hsts); ++#ifndef CURL_DISABLE_HSTS ++ if(!data->share || !data->share->hsts) ++ Curl_hsts_cleanup(&data->hsts); ++ curl_slist_free_all(data->set.hstslist); /* clean up list */ ++#endif + #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) + Curl_http_auth_cleanup_digest(data); + #endif +diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h +index 3505962f45..aa7dfdff78 100644 +--- a/Utilities/cmcurl/lib/urldata.h ++++ b/Utilities/cmcurl/lib/urldata.h +@@ -1659,6 +1659,8 @@ struct UserDefined { + /* function to convert from UTF-8 encoding: */ + curl_conv_callback convfromutf8; + #ifndef CURL_DISABLE_HSTS ++ struct curl_slist *hstslist; /* list of HSTS files set by ++ curl_easy_setopt(HSTS) calls */ + curl_hstsread_callback hsts_read; + void *hsts_read_userp; + curl_hstswrite_callback hsts_write; +-- +2.45.2 diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index fdee4d3c632..e095d7ea6d6 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -28,6 +28,8 @@ Patch13: CVE-2023-27536.patch Patch14: CVE-2023-27538.patch Patch15: CVE-2023-27535.patch Patch16: CVE-2023-23916.patch +Patch17: CVE-2023-46218.patch +Patch18: CVE-2023-23915.patch BuildRequires: bzip2 BuildRequires: bzip2-devel BuildRequires: curl @@ -94,7 +96,7 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %changelog * Thu Nov 14 2024 Sharath Srikanth Chellappa - 3.21.4-13 -- Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218. +- Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916, CVE-2023-46218 and CVE-2023-23915. * Wed Sep 18 2024 Suresh Thelkar - 3.21.4-12 - Patch CVE-2023-27533 and CVE-2023-27534