[AUTO-CHERRYPICK] [Medium] patch curl for CVE-2024-9681 - branch 3.0-dev (#12084)

CBL-Mariner-Bot · jykanase · web-flow · commit 7cef86d87ac1 · 2025-01-26T10:41:23.000-05:00
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
diff --git a/SPECS/curl/CVE-2024-9681.patch b/SPECS/curl/CVE-2024-9681.patch
@@ -0,0 +1,64 @@
+From 42e322412593a4b98b8ade35f2adfdce9b171478 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Fri, 24 Jan 2025 06:27:04 +0000
+Subject: [PATCH] CVE-2024-9681
+
+Backported from : https://github.com/curl/curl/commit/a94973805df96269bf
+---
+ lib/hsts.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index a5e7676..d1e434f 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;
+   if(h) {
+     char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -279,15 +281,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         if(ntail < hlen) {
+           size_t offs = hlen - ntail;
+           if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
++             strncasecompare(&hostname[offs], sts->host, ntail) &&
++             (ntail > blen)) {
++            /* save the tail match with the longest tail */
++            bestsub = sts;
++            blen = ntail;
++          }
+         }
+       }
+       if(strcasecompare(hostname, sts->host))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub;
+ }
+ 
+ /*
+@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(strcasecompare(p, e->host)) {
+       /* the same host name, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+--
+2.45.2
+
diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec
@@ -1,7 +1,7 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.8.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,7 @@ URL:            https://curl.haxx.se
 Source0:        https://curl.haxx.se/download/%{name}-%{version}.tar.gz
 Patch0:         CVE-2024-6197.patch
 Patch1:         CVE-2024-8096.patch
+Patch2:         CVE-2024-9681.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  nghttp2-devel
@@ -87,6 +88,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Fri Jan 24 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 8.8.0-4
+- Fix for CVE-2024-9681
+
 * Tue Oct 15 2024 Muhammad Falak <mwani@microsoft.com> - 8.8.0-3
 - Address CVE-2024-8096
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -195,9 +195,9 @@ libssh2-1.11.0-1.azl3.aarch64.rpm
 libssh2-devel-1.11.0-1.azl3.aarch64.rpm
 krb5-1.21.3-2.azl3.aarch64.rpm
 nghttp2-1.61.0-2.azl3.aarch64.rpm
-curl-8.8.0-3.azl3.aarch64.rpm
-curl-devel-8.8.0-3.azl3.aarch64.rpm
-curl-libs-8.8.0-3.azl3.aarch64.rpm
+curl-8.8.0-4.azl3.aarch64.rpm
+curl-devel-8.8.0-4.azl3.aarch64.rpm
+curl-libs-8.8.0-4.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
 libxml2-2.11.5-3.azl3.aarch64.rpm
 libxml2-devel-2.11.5-3.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -195,9 +195,9 @@ libssh2-1.11.0-1.azl3.x86_64.rpm
 libssh2-devel-1.11.0-1.azl3.x86_64.rpm
 krb5-1.21.3-2.azl3.x86_64.rpm
 nghttp2-1.61.0-2.azl3.x86_64.rpm
-curl-8.8.0-3.azl3.x86_64.rpm
-curl-devel-8.8.0-3.azl3.x86_64.rpm
-curl-libs-8.8.0-3.azl3.x86_64.rpm
+curl-8.8.0-4.azl3.x86_64.rpm
+curl-devel-8.8.0-4.azl3.x86_64.rpm
+curl-libs-8.8.0-4.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 libxml2-2.11.5-3.azl3.x86_64.rpm
 libxml2-devel-2.11.5-3.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -65,10 +65,10 @@ cracklib-lang-2.9.11-1.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.aarch64.rpm
 createrepo_c-devel-1.0.3-1.azl3.aarch64.rpm
-curl-8.8.0-3.azl3.aarch64.rpm
-curl-debuginfo-8.8.0-3.azl3.aarch64.rpm
-curl-devel-8.8.0-3.azl3.aarch64.rpm
-curl-libs-8.8.0-3.azl3.aarch64.rpm
+curl-8.8.0-4.azl3.aarch64.rpm
+curl-debuginfo-8.8.0-4.azl3.aarch64.rpm
+curl-devel-8.8.0-4.azl3.aarch64.rpm
+curl-libs-8.8.0-4.azl3.aarch64.rpm
 Cython-debuginfo-3.0.5-2.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
 debugedit-debuginfo-5.0-2.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -70,10 +70,10 @@ createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
 cross-binutils-common-2.41-2.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
-curl-8.8.0-3.azl3.x86_64.rpm
-curl-debuginfo-8.8.0-3.azl3.x86_64.rpm
-curl-devel-8.8.0-3.azl3.x86_64.rpm
-curl-libs-8.8.0-3.azl3.x86_64.rpm
+curl-8.8.0-4.azl3.x86_64.rpm
+curl-debuginfo-8.8.0-4.azl3.x86_64.rpm
+curl-devel-8.8.0-4.azl3.x86_64.rpm
+curl-libs-8.8.0-4.azl3.x86_64.rpm
 Cython-debuginfo-3.0.5-2.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
 debugedit-debuginfo-5.0-2.azl3.x86_64.rpm
