Skip to content

Commit 55fc9b8

Browse files
archana25-msarchana25-ms
authored
[MEDIUM] Patch cmake for CVE-2024-8096 (#13765)
1 parent 3df0768 commit 55fc9b8

File tree

4 files changed

+210
-5
lines changed

4 files changed

+210
-5
lines changed

SPECS/cmake/CVE-2024-8096.patch

Lines changed: 201 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,201 @@
1+
From 2114e7b1029a091269dae83af1f16ca06b18bc90 Mon Sep 17 00:00:00 2001
2+
From: archana25-ms <[email protected]>
3+
Date: Mon, 12 May 2025 12:23:23 +0000
4+
Subject: [PATCH] Address CVE-2024-8096
5+
Upstream Patch Reference : https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f
6+
7+
---
8+
Utilities/cmcurl/lib/vtls/gtls.c | 145 +++++++++++++++----------------
9+
1 file changed, 72 insertions(+), 73 deletions(-)
10+
11+
diff --git a/Utilities/cmcurl/lib/vtls/gtls.c b/Utilities/cmcurl/lib/vtls/gtls.c
12+
index ecde5c44..02e3b95e 100644
13+
--- a/Utilities/cmcurl/lib/vtls/gtls.c
14+
+++ b/Utilities/cmcurl/lib/vtls/gtls.c
15+
@@ -528,6 +528,13 @@ gtls_connect_step1(struct Curl_easy *data,
16+
init_flags |= GNUTLS_FORCE_CLIENT_CERT;
17+
#endif
18+
19+
+#if defined(GNUTLS_NO_STATUS_REQUEST)
20+
+ if(!config->verifystatus)
21+
+ /* Disable the "status_request" TLS extension, enabled by default since
22+
+ GnuTLS 3.8.0. */
23+
+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
24+
+#endif
25+
+
26+
#if defined(GNUTLS_NO_TICKETS)
27+
/* Disable TLS session tickets */
28+
init_flags |= GNUTLS_NO_TICKETS;
29+
@@ -935,104 +942,96 @@ gtls_connect_step3(struct Curl_easy *data,
30+
infof(data, "\t server certificate verification SKIPPED\n");
31+
32+
if(SSL_CONN_CONFIG(verifystatus)) {
33+
- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
34+
- gnutls_datum_t status_request;
35+
- gnutls_ocsp_resp_t ocsp_resp;
36+
+ gnutls_datum_t status_request;
37+
+ gnutls_ocsp_resp_t ocsp_resp;
38+
+ gnutls_ocsp_cert_status_t status;
39+
+ gnutls_x509_crl_reason_t reason;
40+
41+
- gnutls_ocsp_cert_status_t status;
42+
- gnutls_x509_crl_reason_t reason;
43+
+ rc = gnutls_ocsp_status_request_get(session, &status_request);
44+
45+
- rc = gnutls_ocsp_status_request_get(session, &status_request);
46+
+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
47+
+ failf(data, "No OCSP response received");
48+
+ return CURLE_SSL_INVALIDCERTSTATUS;
49+
+ }
50+
51+
- infof(data, "\t server certificate status verification FAILED\n");
52+
+ if(rc < 0) {
53+
+ failf(data, "Invalid OCSP response received");
54+
+ return CURLE_SSL_INVALIDCERTSTATUS;
55+
+ }
56+
57+
- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
58+
- failf(data, "No OCSP response received");
59+
- return CURLE_SSL_INVALIDCERTSTATUS;
60+
- }
61+
+ gnutls_ocsp_resp_init(&ocsp_resp);
62+
63+
- if(rc < 0) {
64+
- failf(data, "Invalid OCSP response received");
65+
- return CURLE_SSL_INVALIDCERTSTATUS;
66+
- }
67+
+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
68+
+ if(rc < 0) {
69+
+ failf(data, "Invalid OCSP response received");
70+
+ return CURLE_SSL_INVALIDCERTSTATUS;
71+
+ }
72+
73+
- gnutls_ocsp_resp_init(&ocsp_resp);
74+
+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
75+
+ &status, NULL, NULL, NULL, &reason);
76+
77+
- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
78+
- if(rc < 0) {
79+
- failf(data, "Invalid OCSP response received");
80+
- return CURLE_SSL_INVALIDCERTSTATUS;
81+
- }
82+
+ switch(status) {
83+
+ case GNUTLS_OCSP_CERT_GOOD:
84+
+ break;
85+
86+
- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
87+
- &status, NULL, NULL, NULL, &reason);
88+
+ case GNUTLS_OCSP_CERT_REVOKED: {
89+
+ const char *crl_reason;
90+
91+
- switch(status) {
92+
- case GNUTLS_OCSP_CERT_GOOD:
93+
+ switch(reason) {
94+
+ default:
95+
+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
96+
+ crl_reason = "unspecified reason";
97+
break;
98+
99+
- case GNUTLS_OCSP_CERT_REVOKED: {
100+
- const char *crl_reason;
101+
-
102+
- switch(reason) {
103+
- default:
104+
- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
105+
- crl_reason = "unspecified reason";
106+
- break;
107+
-
108+
- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
109+
- crl_reason = "private key compromised";
110+
- break;
111+
-
112+
- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
113+
- crl_reason = "CA compromised";
114+
- break;
115+
-
116+
- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
117+
- crl_reason = "affiliation has changed";
118+
- break;
119+
+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
120+
+ crl_reason = "private key compromised";
121+
+ break;
122+
123+
- case GNUTLS_X509_CRLREASON_SUPERSEDED:
124+
- crl_reason = "certificate superseded";
125+
- break;
126+
+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
127+
+ crl_reason = "CA compromised";
128+
+ break;
129+
130+
- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
131+
- crl_reason = "operation has ceased";
132+
- break;
133+
+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
134+
+ crl_reason = "affiliation has changed";
135+
+ break;
136+
137+
- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
138+
- crl_reason = "certificate is on hold";
139+
- break;
140+
+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
141+
+ crl_reason = "certificate superseded";
142+
+ break;
143+
144+
- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
145+
- crl_reason = "will be removed from delta CRL";
146+
- break;
147+
+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
148+
+ crl_reason = "operation has ceased";
149+
+ break;
150+
151+
- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
152+
- crl_reason = "privilege withdrawn";
153+
- break;
154+
+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
155+
+ crl_reason = "certificate is on hold";
156+
+ break;
157+
158+
- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
159+
- crl_reason = "AA compromised";
160+
- break;
161+
- }
162+
+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
163+
+ crl_reason = "will be removed from delta CRL";
164+
+ break;
165+
166+
- failf(data, "Server certificate was revoked: %s", crl_reason);
167+
+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
168+
+ crl_reason = "privilege withdrawn";
169+
break;
170+
- }
171+
172+
- default:
173+
- case GNUTLS_OCSP_CERT_UNKNOWN:
174+
- failf(data, "Server certificate status is unknown");
175+
+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
176+
+ crl_reason = "AA compromised";
177+
break;
178+
}
179+
180+
- gnutls_ocsp_resp_deinit(ocsp_resp);
181+
+ failf(data, "Server certificate was revoked: %s", crl_reason);
182+
+ break;
183+
+ }
184+
+ default:
185+
+ case GNUTLS_OCSP_CERT_UNKNOWN:
186+
+ failf(data, "Server certificate status is unknown");
187+
+ break;
188+
+ }
189+
190+
+ gnutls_ocsp_resp_deinit(ocsp_resp);
191+
+ if(status != GNUTLS_OCSP_CERT_GOOD)
192+
return CURLE_SSL_INVALIDCERTSTATUS;
193+
- }
194+
- else
195+
- infof(data, "\t server certificate status verification OK\n");
196+
}
197+
else
198+
infof(data, "\t server certificate status verification SKIPPED\n");
199+
--
200+
2.45.3
201+

SPECS/cmake/cmake.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
Summary: Cmake
33
Name: cmake
44
Version: 3.21.4
5-
Release: 17%{?dist}
5+
Release: 18%{?dist}
66
License: BSD AND LGPLv2+
77
Vendor: Microsoft Corporation
88
Distribution: Mariner
@@ -35,6 +35,7 @@ Patch20: CVE-2024-7264.patch
3535
Patch21: CVE-2024-11053.patch
3636
Patch22: CVE-2024-9681.patch
3737
Patch23: CVE-2024-48615.patch
38+
Patch24: CVE-2024-8096.patch
3839
BuildRequires: bzip2
3940
BuildRequires: bzip2-devel
4041
BuildRequires: curl
@@ -100,6 +101,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
100101
%{_prefix}/doc/%{name}-*/*
101102

102103
%changelog
104+
* Mon May 12 2025 Archana Shettigar <[email protected]> - 3.21.4-18
105+
- Fix CVE-2024-8096 by backporting
106+
103107
* Mon Apr 07 2025 Kavya Sree Kaitepalli <[email protected]> - 3.21.4-17
104108
- Fix CVE-2024-48615 by backporting
105109

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
3030
chkconfig-1.20-4.cm2.aarch64.rpm
3131
chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
3232
chkconfig-lang-1.20-4.cm2.aarch64.rpm
33-
cmake-3.21.4-17.cm2.aarch64.rpm
34-
cmake-debuginfo-3.21.4-17.cm2.aarch64.rpm
33+
cmake-3.21.4-18.cm2.aarch64.rpm
34+
cmake-debuginfo-3.21.4-18.cm2.aarch64.rpm
3535
coreutils-8.32-7.cm2.aarch64.rpm
3636
coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
3737
coreutils-lang-8.32-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
3131
chkconfig-1.20-4.cm2.x86_64.rpm
3232
chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
3333
chkconfig-lang-1.20-4.cm2.x86_64.rpm
34-
cmake-3.21.4-17.cm2.x86_64.rpm
35-
cmake-debuginfo-3.21.4-17.cm2.x86_64.rpm
34+
cmake-3.21.4-18.cm2.x86_64.rpm
35+
cmake-debuginfo-3.21.4-18.cm2.x86_64.rpm
3636
coreutils-8.32-7.cm2.x86_64.rpm
3737
coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
3838
coreutils-lang-8.32-7.cm2.x86_64.rpm

0 commit comments

Comments
 (0)