[AUTO-CHERRYPICK] [Low] Patch curl for CVE-2025-0167 - branch main (#13363)

CBL-Mariner-Bot · v-smalavathu · web-flow · commit 18dbf295ab84 · 2025-04-10T17:05:36.000-04:00
Co-authored-by: Sreenivasulu Malavathula (HCL Technologies Ltd) &lt;v-smalavathu@microsoft.com&gt;
diff --git a/SPECS/curl/CVE-2025-0167.patch b/SPECS/curl/CVE-2025-0167.patch
@@ -0,0 +1,40 @@
+From 9ef089b45f439bc1885ab7ee3e074ecc86a8bfcc Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
+Date: Fri, 28 Mar 2025 18:08:43 -0500
+Subject: [PATCH] Address CVE-2025-0167
+Upstream Patch Reference: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e
+
+---
+ lib/netrc.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 64efdc0..6053fa6 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -263,11 +263,17 @@ static int parsenetrc(const char *host,
+ 
+ out:
+     Curl_dyn_free(&buf);
+-    if(!retcode && !password && our_login) {
+-      /* success without a password, set a blank one */
+-      password = strdup("");
+-      if(!password)
+-        retcode = 1; /* out of memory */
++    if(!retcode) {
++      if(!password && our_login) {
++        /* success without a password, set a blank one */
++        password = strdup("");
++        if(!password)
++          retcode = 1; /* out of memory */
++      }
++      else if(!login && !password) {
++        /* a default with no credentials */
++        retcode = NETRC_FILE_MISSING;
++      }
+     }
+     if(!retcode) {
+       /* success */
+-- 
+2.45.2
+
diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec
@@ -1,7 +1,7 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.8.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -12,6 +12,7 @@ Patch0:         CVE-2024-6197.patch
 Patch1:         CVE-2024-8096.patch
 Patch2:         CVE-2024-11053.patch
 Patch3:         CVE-2024-9681.patch
+Patch4:         CVE-2025-0167.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  nghttp2-devel
@@ -89,6 +90,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Fri Mar 28 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 8.8.0-6
+- Fix CVE-2025-0167 with an upstream patch
+
 * Wed Feb 26 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 8.8.0-5
 - Patch CVE-2024-9681
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.aarch64.rpm
 libssh2-devel-1.9.0-4.cm2.aarch64.rpm
 krb5-1.19.4-3.cm2.aarch64.rpm
 nghttp2-1.57.0-2.cm2.aarch64.rpm
-curl-8.8.0-5.cm2.aarch64.rpm
-curl-devel-8.8.0-5.cm2.aarch64.rpm
-curl-libs-8.8.0-5.cm2.aarch64.rpm
+curl-8.8.0-6.cm2.aarch64.rpm
+curl-devel-8.8.0-6.cm2.aarch64.rpm
+curl-libs-8.8.0-6.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 libxml2-2.10.4-6.cm2.aarch64.rpm
 libxml2-devel-2.10.4-6.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.x86_64.rpm
 libssh2-devel-1.9.0-4.cm2.x86_64.rpm
 krb5-1.19.4-3.cm2.x86_64.rpm
 nghttp2-1.57.0-2.cm2.x86_64.rpm
-curl-8.8.0-5.cm2.x86_64.rpm
-curl-devel-8.8.0-5.cm2.x86_64.rpm
-curl-libs-8.8.0-5.cm2.x86_64.rpm
+curl-8.8.0-6.cm2.x86_64.rpm
+curl-devel-8.8.0-6.cm2.x86_64.rpm
+curl-libs-8.8.0-6.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
 libxml2-2.10.4-6.cm2.x86_64.rpm
 libxml2-devel-2.10.4-6.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm
-curl-8.8.0-5.cm2.aarch64.rpm
-curl-debuginfo-8.8.0-5.cm2.aarch64.rpm
-curl-devel-8.8.0-5.cm2.aarch64.rpm
-curl-libs-8.8.0-5.cm2.aarch64.rpm
+curl-8.8.0-6.cm2.aarch64.rpm
+curl-debuginfo-8.8.0-6.cm2.aarch64.rpm
+curl-devel-8.8.0-6.cm2.aarch64.rpm
+curl-libs-8.8.0-6.cm2.aarch64.rpm
 Cython-debuginfo-0.29.33-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
 debugedit-debuginfo-5.0-2.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -49,10 +49,10 @@ createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
 cross-binutils-common-2.37-14.cm2.noarch.rpm
 cross-gcc-common-11.2.0-8.cm2.noarch.rpm
-curl-8.8.0-5.cm2.x86_64.rpm
-curl-debuginfo-8.8.0-5.cm2.x86_64.rpm
-curl-devel-8.8.0-5.cm2.x86_64.rpm
-curl-libs-8.8.0-5.cm2.x86_64.rpm
+curl-8.8.0-6.cm2.x86_64.rpm
+curl-debuginfo-8.8.0-6.cm2.x86_64.rpm
+curl-devel-8.8.0-6.cm2.x86_64.rpm
+curl-libs-8.8.0-6.cm2.x86_64.rpm
 Cython-debuginfo-0.29.33-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
 debugedit-debuginfo-5.0-2.cm2.x86_64.rpm
