Patch rust for CVE-2024-11738

azurelinux-security · azurelinux-security · commit 078f94479a89 · 2025-08-08T10:17:15.000Z
diff --git a/SPECS/rust/CVE-2024-11738.patch b/SPECS/rust/CVE-2024-11738.patch
@@ -0,0 +1,35 @@
+From 874dd834f5444394deda1f7fcc19cc09afebf6bd Mon Sep 17 00:00:00 2001
+From: Kevin Wang <wy721@qq.com>
+Date: Fri, 22 Nov 2024 20:48:01 +0800
+Subject: [PATCH] Record and restore the processed cursor in
+ first_handshake_message
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/rustls/rustls/pull/2231.patch
+---
+ vendor/rustls-0.23.13/src/conn.rs | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/vendor/rustls-0.23.13/src/conn.rs b/vendor/rustls-0.23.13/src/conn.rs
+index 60b597ba5..d45d71fd0 100644
+--- a/vendor/rustls-0.23.13/src/conn.rs
++++ b/vendor/rustls-0.23.13/src/conn.rs
+@@ -655,6 +655,7 @@ impl<Data> ConnectionCommon<Data> {
+     /// `process_handshake_messages()` path, specialized for the first handshake message.
+     pub(crate) fn first_handshake_message(&mut self) -> Result<Option<Message<'static>>, Error> {
+         let mut buffer_progress = BufferProgress::default();
++        buffer_progress.add_processed(self.deframer_buffer.processed);
+ 
+         let res = self
+             .core
+@@ -665,6 +666,7 @@ impl<Data> ConnectionCommon<Data> {
+             )
+             .map(|opt| opt.map(|pm| Message::try_from(pm).map(|m| m.into_owned())));
+ 
++        self.deframer_buffer.processed = buffer_progress.processed();
+         match res? {
+             Some(Ok(msg)) => {
+                 self.deframer_buffer
+-- 
+2.45.4
+
diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec
@@ -9,7 +9,7 @@
 Summary:        Rust Programming Language
 Name:           rust
 Version:        1.86.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -42,6 +42,7 @@ Source5:        https://static.rust-lang.org/dist/%{release_date}/cargo-%{stage0
 Source6:        https://static.rust-lang.org/dist/%{release_date}/rustc-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz
 Source7:        https://static.rust-lang.org/dist/%{release_date}/rust-std-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz
 Patch0:		CVE-2025-4574.patch
+Patch1:         CVE-2024-11738.patch
 BuildRequires:  binutils
 BuildRequires:  cmake
 # make sure rust relies on curl from CBL-Mariner (instead of using its vendored flavor)
@@ -179,6 +180,9 @@ rm %{buildroot}%{_docdir}/docs/html/.lock
 %{_mandir}/man1/*
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.86.0-4
+- Patch for CVE-2024-11738
+
 * Fri Jun 13 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 1.86.0-3
 - Patch CVE-2025-4574
 
