[AutoPR- Security] Patch curl for CVE-2025-10148 [MEDIUM] (microsoft#14653)

Author: azurelinux-security

SPECS/curl/CVE-2025-10148.patch

@@ -0,0 +1,57 @@
+From 966ee40365d33b352191241506251e2c3c135cd5 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Thu, 11 Sep 2025 15:47:20 +0000
+Subject: [PATCH] ws: get a new mask for each new outgoing
+ frame\n\nReported-by: Calvin Ruocco\nCloses #18496
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa.patch
+---
+ lib/ws.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ws.c b/lib/ws.c
+index 3d739a5..41565e2 100644
+--- a/lib/ws.c
++++ b/lib/ws.c
+@@ -618,6 +618,21 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+ 
++  /* 4 bytes random */
++  {
++    CURLcode result;
++    result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
++    if(result) {
++      *err = result;
++      return -1;
++    }
++#ifdef DEBUGBUILD
++    if(getenv("CURL_WS_FORCE_ZERO_MASK"))
++      /* force the bit mask to 0x00000000, effectively disabling masking */
++      memset(&enc->mask, 0, sizeof(enc->mask));
++#endif
++  }
++
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -808,14 +823,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+ 
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-  infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
++  infof(data, "[WS] Received 101, switch to WebSocket");
+ 
+   /* Install our client writer that decodes WS frames payload */
+   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+-- 
+2.45.4
+

SPECS/curl/curl.spec

@@ -1,7 +1,7 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.11.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -11,6 +11,7 @@ Source0:        https://curl.haxx.se/download/%{name}-%{version}.tar.gz
 Patch0:         CVE-2025-0665.patch
 Patch1:         CVE-2025-0167.patch
 Patch2:         CVE-2025-0725.patch
+Patch3:         CVE-2025-10148.patch
 BuildRequires:  cmake
 BuildRequires:  krb5-devel
 BuildRequires:  libnghttp2-devel
@@ -101,6 +102,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Thu Sep 11 2025 Azure Linux Security Servicing Account <[email protected]> - 8.11.1-4
+- Patch for CVE-2025-10148
+
 * Thu Feb 13 2025 Kanishk Bansal <[email protected]> - 8.11.1-3
 - Fix CVE-2025-0665, CVE-2025-0167, CVE-2025-0725
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -199,9 +199,9 @@ krb5-1.21.3-2.azl3.aarch64.rpm
 krb5-devel-1.21.3-2.azl3.aarch64.rpm
 nghttp2-1.61.0-2.azl3.aarch64.rpm
 nghttp2-devel-1.61.0-2.azl3.aarch64.rpm
-curl-8.11.1-3.azl3.aarch64.rpm
-curl-devel-8.11.1-3.azl3.aarch64.rpm
-curl-libs-8.11.1-3.azl3.aarch64.rpm
+curl-8.11.1-4.azl3.aarch64.rpm
+curl-devel-8.11.1-4.azl3.aarch64.rpm
+curl-libs-8.11.1-4.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
 libxml2-2.11.5-6.azl3.aarch64.rpm
 libxml2-devel-2.11.5-6.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -199,9 +199,9 @@ krb5-1.21.3-2.azl3.x86_64.rpm
 krb5-devel-1.21.3-2.azl3.x86_64.rpm
 nghttp2-1.61.0-2.azl3.x86_64.rpm
 nghttp2-devel-1.61.0-2.azl3.x86_64.rpm
-curl-8.11.1-3.azl3.x86_64.rpm
-curl-devel-8.11.1-3.azl3.x86_64.rpm
-curl-libs-8.11.1-3.azl3.x86_64.rpm
+curl-8.11.1-4.azl3.x86_64.rpm
+curl-devel-8.11.1-4.azl3.x86_64.rpm
+curl-libs-8.11.1-4.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 libxml2-2.11.5-6.azl3.x86_64.rpm
 libxml2-devel-2.11.5-6.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -67,10 +67,10 @@ cracklib-lang-2.9.11-1.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.aarch64.rpm
 createrepo_c-devel-1.0.3-1.azl3.aarch64.rpm
-curl-8.11.1-3.azl3.aarch64.rpm
-curl-debuginfo-8.11.1-3.azl3.aarch64.rpm
-curl-devel-8.11.1-3.azl3.aarch64.rpm
-curl-libs-8.11.1-3.azl3.aarch64.rpm
+curl-8.11.1-4.azl3.aarch64.rpm
+curl-debuginfo-8.11.1-4.azl3.aarch64.rpm
+curl-devel-8.11.1-4.azl3.aarch64.rpm
+curl-libs-8.11.1-4.azl3.aarch64.rpm
 Cython-debuginfo-3.0.5-2.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
 debugedit-debuginfo-5.0-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -72,10 +72,10 @@ createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
 cross-binutils-common-2.41-8.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
-curl-8.11.1-3.azl3.x86_64.rpm
-curl-debuginfo-8.11.1-3.azl3.x86_64.rpm
-curl-devel-8.11.1-3.azl3.x86_64.rpm
-curl-libs-8.11.1-3.azl3.x86_64.rpm
+curl-8.11.1-4.azl3.x86_64.rpm
+curl-debuginfo-8.11.1-4.azl3.x86_64.rpm
+curl-devel-8.11.1-4.azl3.x86_64.rpm
+curl-libs-8.11.1-4.azl3.x86_64.rpm
 Cython-debuginfo-3.0.5-2.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
 debugedit-debuginfo-5.0-2.azl3.x86_64.rpm