[AUTO-CHERRYPICK] Patch CVE-2023-27534 in cmake - branch main (#10509)

Co-authored-by: suresh-thelkar <suresh.thelkar@yahoo.com>

Author: CBL-Mariner-Bot

SPECS/cmake/CVE-2023-27533.patch

@@ -0,0 +1,60 @@
+From 7aee1a49cb796ad199f02746222808d3313fbe9b Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Tue, 17 Sep 2024 12:38:59 +0530
+Subject: [PATCH] Backporting patch for CVE-2023-27533
+
+Upstream patch details are given below.
+https://github.com/curl/curl/pull/10728/commits
+---
+ Utilities/cmcurl/lib/telnet.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/Utilities/cmcurl/lib/telnet.c b/Utilities/cmcurl/lib/telnet.c
+index fdd137fb..c8af4c95 100644
+--- a/Utilities/cmcurl/lib/telnet.c
++++ b/Utilities/cmcurl/lib/telnet.c
+@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
+   }
+ }
+ 
++static bool str_is_nonascii(const char *str)
++{
++  size_t len = strlen(str);
++  while(len--) {
++    if(*str & 0x80)
++      return TRUE;
++    str++;
++  }
++  return FALSE;
++}
++
+ static CURLcode check_telnet_options(struct Curl_easy *data)
+ {
+   struct curl_slist *head;
+@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   /* Add the user name as an environment variable if it
+      was given on the command line */
+   if(conn->bits.user_passwd) {
++	if(str_is_nonascii(conn->user))
++      return CURLE_BAD_FUNCTION_ARGUMENT;
+     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
+     beg = curl_slist_append(tn->telnet_vars, option_arg);
+     if(!beg) {
+@@ -796,6 +809,14 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   }
+ 
+   for(head = data->set.telnet_options; head; head = head->next) {
++	 char *option = head->data;
++     char *arg;
++     char *sep = strchr(option, '=');
++	 if(sep) {
++		arg = ++sep;
++		if(str_is_nonascii(arg))
++			continue;
++	 }
+     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
+               option_keyword, option_arg) == 2) {
+ 
+-- 
+2.34.1
+

SPECS/cmake/CVE-2023-27534.patch

@@ -0,0 +1,119 @@
+From 851e92133dcb67015af8f7d3402fb58fa5df051e Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Wed, 18 Sep 2024 15:14:00 +0530
+Subject: [PATCH] Patch for CVE-2023-27534
+
+Upstream patch details are given below.
+https://github.com/curl/curl/pull/10729/commits/01345b13d4c4d1222387f5c02dfb6244a9cade33#diff-86c8ab4ca5332fd50f646ad37656e92fc41839ba34e0ddab1ec7728439cbe5f1
+---
+ Utilities/cmcurl/lib/curl_path.c | 72 ++++++++++++++++----------------
+ 1 file changed, 36 insertions(+), 36 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/curl_path.c b/Utilities/cmcurl/lib/curl_path.c
+index 65106188..28eb41ad 100644
+--- a/Utilities/cmcurl/lib/curl_path.c
++++ b/Utilities/cmcurl/lib/curl_path.c
+@@ -30,6 +30,8 @@
+ #include "escape.h"
+ #include "memdebug.h"
+ 
++#define MAX_SSHPATH_LEN 100000 /* arbitrary */
++
+ /* figure out the path to work with in this particular request */
+ CURLcode Curl_getworkingpath(struct Curl_easy *data,
+                              char *homedir,  /* when SFTP is used */
+@@ -39,57 +41,55 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data,
+   char *real_path = NULL;
+   char *working_path;
+   size_t working_path_len;
++  struct dynbuf npath;
+   CURLcode result =
+     Curl_urldecode(data, data->state.up.path, 0, &working_path,
+                    &working_path_len, REJECT_ZERO);
+   if(result)
+     return result;
+ 
++  /* new path to switch to in case we need to */
++  Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
++
+   /* Check for /~/, indicating relative to the user's home directory */
+-  if(data->conn->handler->protocol & CURLPROTO_SCP) {
+-    real_path = malloc(working_path_len + 1);
+-    if(!real_path) {
++  if((data->conn->handler->protocol & CURLPROTO_SCP) &&
++     (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
++    /* It is referenced to the home directory, so strip the leading '/~/' */
++    if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
+       free(working_path);
+       return CURLE_OUT_OF_MEMORY;
+     }
+-    if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
+-      /* It is referenced to the home directory, so strip the leading '/~/' */
+-      memcpy(real_path, working_path + 3, working_path_len - 2);
+-    else
+-      memcpy(real_path, working_path, 1 + working_path_len);
+   }
+-  else if(data->conn->handler->protocol & CURLPROTO_SFTP) {
+-    if((working_path_len > 1) && (working_path[1] == '~')) {
+-      size_t homelen = strlen(homedir);
+-      real_path = malloc(homelen + working_path_len + 1);
+-      if(!real_path) {
+-        free(working_path);
+-        return CURLE_OUT_OF_MEMORY;
+-      }
+-      /* It is referenced to the home directory, so strip the
+-         leading '/' */
+-      memcpy(real_path, homedir, homelen);
+-      real_path[homelen] = '/';
+-      real_path[homelen + 1] = '\0';
+-      if(working_path_len > 3) {
+-        memcpy(real_path + homelen + 1, working_path + 3,
+-               1 + working_path_len -3);
+-      }
++  else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
++          (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
++    size_t len;
++    const char *p;
++    int copyfrom = 3;
++    if(Curl_dyn_add(&npath, homedir)) {
++      free(working_path);
++      return CURLE_OUT_OF_MEMORY;
+     }
+-    else {
+-      real_path = malloc(working_path_len + 1);
+-      if(!real_path) {
+-        free(working_path);
+-        return CURLE_OUT_OF_MEMORY;
+-      }
+-      memcpy(real_path, working_path, 1 + working_path_len);
++    /* Copy a separating '/' if homedir does not end with one */
++    len = Curl_dyn_len(&npath);
++    p = Curl_dyn_ptr(&npath);
++    if(len && (p[len-1] != '/'))
++      copyfrom = 2;
++
++    if(Curl_dyn_addn(&npath,
++                     &working_path[copyfrom], working_path_len - copyfrom)) {
++      free(working_path);
++      return CURLE_OUT_OF_MEMORY;
+     }
+   }
+ 
+-  free(working_path);
+-
+-  /* store the pointer for the caller to receive */
+-  *path = real_path;
++  if(Curl_dyn_len(&npath)) {
++    free(working_path);
++  
++    /* store the pointer for the caller to receive */
++    *path = Curl_dyn_ptr(&npath);
++  }
++  else
++    *path = working_path
+ 
+   return CURLE_OK;
+ }
+-- 
+2.34.1
+

SPECS/cmake/cmake.spec

@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.21.4
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -21,6 +21,8 @@ Patch6:         CVE-2023-38545.patch
 Patch7:         CVE-2023-38546.patch
 Patch8:         cve-2023-44487.patch
 Patch9:         CVE-2023-28320.patch
+Patch10:        CVE-2023-27533.patch
+Patch11:        CVE-2023-27534.patch
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
 BuildRequires:  curl
@@ -86,6 +88,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_prefix}/doc/%{name}-*/*
 
 %changelog
+* Wed Sep 18 2024 Suresh Thelkar <sthelkar@microsoft.com> - 3.21.4-12
+- Patch CVE-2023-27533 and CVE-2023-27534
+
 * Fri Jul 26 2024 Zhichun Wan <zhichunwan@microsoft.com> - 3.21.4-11
 - Patch CVE-2023-28320.patch
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
 chkconfig-1.20-4.cm2.aarch64.rpm
 chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
 chkconfig-lang-1.20-4.cm2.aarch64.rpm
-cmake-3.21.4-11.cm2.aarch64.rpm
-cmake-debuginfo-3.21.4-11.cm2.aarch64.rpm
+cmake-3.21.4-12.cm2.aarch64.rpm
+cmake-debuginfo-3.21.4-12.cm2.aarch64.rpm
 coreutils-8.32-7.cm2.aarch64.rpm
 coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
 coreutils-lang-8.32-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
 chkconfig-1.20-4.cm2.x86_64.rpm
 chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
 chkconfig-lang-1.20-4.cm2.x86_64.rpm
-cmake-3.21.4-11.cm2.x86_64.rpm
-cmake-debuginfo-3.21.4-11.cm2.x86_64.rpm
+cmake-3.21.4-12.cm2.x86_64.rpm
+cmake-debuginfo-3.21.4-12.cm2.x86_64.rpm
 coreutils-8.32-7.cm2.x86_64.rpm
 coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
 coreutils-lang-8.32-7.cm2.x86_64.rpm