[AutoPR- Security] Patch cmake for CVE-2025-10148 [MEDIUM] (microsoft#14675)

azurelinux-security · web-flow · commit 4809e873afd8 · 2025-09-22T21:41:56.000+05:30
diff --git a/SPECS/cmake/CVE-2025-10148.patch b/SPECS/cmake/CVE-2025-10148.patch
@@ -0,0 +1,71 @@
+From 314fdb876cae7b8b57932adbdab40cb8a9148cfc Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Sat, 13 Sep 2025 06:29:24 +0000
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+
+- Move mask generation from accept to frame send: generate a fresh 4-byte
+  random mask for every outgoing frame in ws_enc_write_head.
+- Allow forcing zero mask in DEBUGBUILD via CURL_WS_FORCE_ZERO_MASK env.
+- Remove mask generation and printing from Curl_ws_accept and update log
+  message to not leak mask bytes.
+
+Reported-by: Calvin Ruocco
+Closes: #18496
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa.patch
+---
+ Utilities/cmcurl/lib/ws.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/ws.c b/Utilities/cmcurl/lib/ws.c
+index 6ccf9e65..476b7ad9 100644
+--- a/Utilities/cmcurl/lib/ws.c
++++ b/Utilities/cmcurl/lib/ws.c
+@@ -544,6 +544,7 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   unsigned char head[14];
+   size_t hlen;
+   ssize_t n;
++  CURLcode result;
+ 
+   if(payload_len < 0) {
+     failf(data, "WS: starting new frame with negative payload length %"
+@@ -615,6 +616,20 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+ 
++  /* 4 bytes random */
++
++  result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
++  if(result) {
++    *err = result;
++    return -1;
++  }
++
++#ifdef DEBUGBUILD
++  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
++    /* force the bit mask to 0x00000000, effectively disabling masking */
++    memset(&enc->mask, 0, sizeof(enc->mask));
++#endif
++
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -805,14 +820,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+ 
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-  infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
++  infof(data, "[WS] Received 101, switch to WebSocket");
+ 
+   /* Install our client writer that decodes WS frames payload */
+   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+-- 
+2.45.4
+
diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec
@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.30.3
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -31,6 +31,7 @@ Patch11:	CVE-2025-5916.patch
 Patch12:	CVE-2025-5917.patch
 Patch13:	CVE-2025-5918.patch
 Patch14:	CVE-2025-9301.patch
+Patch15:	CVE-2025-10148.patch
 
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
@@ -111,6 +112,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_libdir}/rpm/macros.d/macros.cmake
 
 %changelog
+* Sat Sep 13 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.30.3-10
+- Patch for CVE-2025-10148
+
 * Fri Aug 22 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.30.3-9
 - Patch for CVE-2025-9301
 
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -51,8 +51,8 @@ check-debuginfo-0.15.2-1.azl3.aarch64.rpm
 chkconfig-1.25-1.azl3.aarch64.rpm
 chkconfig-debuginfo-1.25-1.azl3.aarch64.rpm
 chkconfig-lang-1.25-1.azl3.aarch64.rpm
-cmake-3.30.3-9.azl3.aarch64.rpm
-cmake-debuginfo-3.30.3-9.azl3.aarch64.rpm
+cmake-3.30.3-10.azl3.aarch64.rpm
+cmake-debuginfo-3.30.3-10.azl3.aarch64.rpm
 coreutils-9.4-6.azl3.aarch64.rpm
 coreutils-debuginfo-9.4-6.azl3.aarch64.rpm
 coreutils-lang-9.4-6.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -54,8 +54,8 @@ check-debuginfo-0.15.2-1.azl3.x86_64.rpm
 chkconfig-1.25-1.azl3.x86_64.rpm
 chkconfig-debuginfo-1.25-1.azl3.x86_64.rpm
 chkconfig-lang-1.25-1.azl3.x86_64.rpm
-cmake-3.30.3-9.azl3.x86_64.rpm
-cmake-debuginfo-3.30.3-9.azl3.x86_64.rpm
+cmake-3.30.3-10.azl3.x86_64.rpm
+cmake-debuginfo-3.30.3-10.azl3.x86_64.rpm
 coreutils-9.4-6.azl3.x86_64.rpm
 coreutils-debuginfo-9.4-6.azl3.x86_64.rpm
 coreutils-lang-9.4-6.azl3.x86_64.rpm
