Skip to content

Commit 1d1d5a0

Browse files
CBL-Mariner-Bothbeberman
CBL-Mariner-Bot
and
hbeberman
authored
[AUTO-CHERRYPICK] cmake: patch CVE-2024-11053 - branch 3.0-dev (#11940)
Co-authored-by: Henry Beberman <henry.beberman@microsoft.com>
1 parent c294274 commit 1d1d5a0

4 files changed

Lines changed: 313 additions & 5 deletions

File tree

SPECS/cmake/CVE-2024-11053.patch

Lines changed: 304 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,304 @@
1+
From c67d69ef80e6d91d4124c704aceb667859d6a0df Mon Sep 17 00:00:00 2001
2+
From: Henry Beberman <henry.beberman@microsoft.com>
3+
Date: Wed, 15 Jan 2025 21:26:44 +0000
4+
Subject: [PATCH] Backport patch for CVE-2024-11053
5+
6+
Backport fix for CVE-2024-11053 from upstream commit to vendored libcurl 8.8.0
7+
8+
From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001
9+
From: Daniel Stenberg <daniel@haxx.se>
10+
Date: Fri, 15 Nov 2024 11:06:36 +0100
11+
Subject: [PATCH] netrc: address several netrc parser flaws
12+
13+
- make sure that a match that returns a username also returns a
14+
password, that should be blank if no password is found
15+
16+
- fix handling of multiple logins for same host where the password/login
17+
order might be reversed.
18+
19+
- reject credentials provided in the .netrc if they contain ASCII control
20+
codes - if the used protocol does not support such (like HTTP and WS do)
21+
22+
---
23+
lib/netrc.c | 205 +++++++++++++++++++++++++++++-----------------------
24+
lib/url.c | 2 +
25+
2 files changed, 116 insertions(+), 91 deletions(-)
26+
27+
diff --git a/Utilities/cmcurl/lib/netrc.c b/Utilities/cmcurl/lib/netrc.c
28+
index cd2a284..83dd9eb 100644
29+
--- a/Utilities/cmcurl/lib/netrc.c
30+
+++ b/Utilities/cmcurl/lib/netrc.c
31+
@@ -49,6 +49,15 @@ enum host_lookup_state {
32+
MACDEF
33+
};
34+
35+
+enum found_state {
36+
+ NONE,
37+
+ LOGIN,
38+
+ PASSWORD
39+
+};
40+
+
41+
+#define FOUND_LOGIN 1
42+
+#define FOUND_PASSWORD 2
43+
+
44+
#define NETRC_FILE_MISSING 1
45+
#define NETRC_FAILED -1
46+
#define NETRC_SUCCESS 0
47+
@@ -66,11 +75,13 @@ static int parsenetrc(const char *host,
48+
FILE *file;
49+
int retcode = NETRC_FILE_MISSING;
50+
char *login = *loginp;
51+
- char *password = *passwordp;
52+
+ char *password = NULL;
53+
bool specific_login = (login && *login != 0);
54+
- bool login_alloc = FALSE;
55+
- bool password_alloc = FALSE;
56+
enum host_lookup_state state = NOTHING;
57+
+ enum found_state keyword = NONE;
58+
+ unsigned char found = 0; /* login + password found bits, as they can come in
59+
+ any order */
60+
+ bool our_login = FALSE; /* found our login name */
61+
62+
char state_login = 0; /* Found a login keyword */
63+
char state_password = 0; /* Found a password keyword */
64+
@@ -156,117 +167,129 @@ static int parsenetrc(const char *host,
65+
}
66+
}
67+
68+
- if((login && *login) && (password && *password)) {
69+
- done = TRUE;
70+
- break;
71+
- }
72+
-
73+
switch(state) {
74+
- case NOTHING:
75+
- if(strcasecompare("macdef", tok)) {
76+
- /* Define a macro. A macro is defined with the specified name; its
77+
- contents begin with the next .netrc line and continue until a
78+
- null line (consecutive new-line characters) is encountered. */
79+
- state = MACDEF;
80+
- }
81+
- else if(strcasecompare("machine", tok)) {
82+
- /* the next tok is the machine name, this is in itself the
83+
- delimiter that starts the stuff entered for this machine,
84+
- after this we need to search for 'login' and
85+
- 'password'. */
86+
- state = HOSTFOUND;
87+
- }
88+
- else if(strcasecompare("default", tok)) {
89+
- state = HOSTVALID;
90+
- retcode = NETRC_SUCCESS; /* we did find our host */
91+
- }
92+
- break;
93+
- case MACDEF:
94+
- if(!strlen(tok)) {
95+
- state = NOTHING;
96+
- }
97+
- break;
98+
- case HOSTFOUND:
99+
- if(strcasecompare(host, tok)) {
100+
- /* and yes, this is our host! */
101+
- state = HOSTVALID;
102+
- retcode = NETRC_SUCCESS; /* we did find our host */
103+
- }
104+
- else
105+
- /* not our host */
106+
- state = NOTHING;
107+
- break;
108+
- case HOSTVALID:
109+
- /* we are now parsing sub-keywords concerning "our" host */
110+
- if(state_login) {
111+
- if(specific_login) {
112+
- state_our_login = !Curl_timestrcmp(login, tok);
113+
+ case NOTHING:
114+
+ if(strcasecompare("macdef", tok))
115+
+ /* Define a macro. A macro is defined with the specified name; its
116+
+ contents begin with the next .netrc line and continue until a
117+
+ null line (consecutive new-line characters) is encountered. */
118+
+ state = MACDEF;
119+
+ else if(strcasecompare("machine", tok)) {
120+
+ /* the next tok is the machine name, this is in itself the delimiter
121+
+ that starts the stuff entered for this machine, after this we
122+
+ need to search for 'login' and 'password'. */
123+
+ state = HOSTFOUND;
124+
+ keyword = NONE;
125+
+ found = 0;
126+
+ our_login = FALSE;
127+
+ Curl_safefree(password);
128+
+ if(!specific_login)
129+
+ Curl_safefree(login);
130+
}
131+
- else if(!login || Curl_timestrcmp(login, tok)) {
132+
- if(login_alloc) {
133+
+ else if(strcasecompare("default", tok)) {
134+
+ state = HOSTVALID;
135+
+ retcode = NETRC_SUCCESS; /* we did find our host */
136+
+ }
137+
+ break;
138+
+ case MACDEF:
139+
+ if(!*tok)
140+
+ state = NOTHING;
141+
+ break;
142+
+ case HOSTFOUND:
143+
+ if(strcasecompare(host, tok)) {
144+
+ /* and yes, this is our host! */
145+
+ state = HOSTVALID;
146+
+ retcode = NETRC_SUCCESS; /* we did find our host */
147+
+ }
148+
+ else
149+
+ /* not our host */
150+
+ state = NOTHING;
151+
+ break;
152+
+ case HOSTVALID:
153+
+ /* we are now parsing sub-keywords concerning "our" host */
154+
+ if(keyword == LOGIN) {
155+
+ if(specific_login)
156+
+ our_login = !Curl_timestrcmp(login, tok);
157+
+ else {
158+
+ our_login = TRUE;
159+
free(login);
160+
- login_alloc = FALSE;
161+
+ login = strdup(tok);
162+
+ if(!login) {
163+
+ retcode = NETRC_FAILED; /* allocation failed */
164+
+ goto out;
165+
+ }
166+
}
167+
- login = strdup(tok);
168+
- if(!login) {
169+
- retcode = NETRC_FAILED; /* allocation failed */
170+
- goto out;
171+
- }
172+
- login_alloc = TRUE;
173+
+ found |= FOUND_LOGIN;
174+
+ keyword = NONE;
175+
}
176+
- state_login = 0;
177+
- }
178+
- else if(state_password) {
179+
- if((state_our_login || !specific_login)
180+
- && (!password || Curl_timestrcmp(password, tok))) {
181+
- if(password_alloc) {
182+
- free(password);
183+
- password_alloc = FALSE;
184+
- }
185+
+ else if(keyword == PASSWORD) {
186+
+ free(password);
187+
password = strdup(tok);
188+
if(!password) {
189+
retcode = NETRC_FAILED; /* allocation failed */
190+
goto out;
191+
}
192+
- password_alloc = TRUE;
193+
+ if(!specific_login || our_login)
194+
+ found |= FOUND_PASSWORD;
195+
+ keyword = NONE;
196+
}
197+
- state_password = 0;
198+
- }
199+
- else if(strcasecompare("login", tok))
200+
- state_login = 1;
201+
- else if(strcasecompare("password", tok))
202+
- state_password = 1;
203+
- else if(strcasecompare("machine", tok)) {
204+
- /* ok, there's machine here go => */
205+
- state = HOSTFOUND;
206+
- state_our_login = FALSE;
207+
- }
208+
- break;
209+
- } /* switch (state) */
210+
+ else if(strcasecompare("login", tok))
211+
+ keyword = LOGIN;
212+
+ else if(strcasecompare("password", tok))
213+
+ keyword = PASSWORD;
214+
+ else if(strcasecompare("machine", tok)) {
215+
+ /* a new machine here */
216+
+ if(found & FOUND_PASSWORD) {
217+
+ done = TRUE;
218+
+ break;
219+
+ }
220+
+ state = HOSTFOUND;
221+
+ keyword = NONE;
222+
+ found = 0;
223+
+ Curl_safefree(password);
224+
+ if(!specific_login)
225+
+ Curl_safefree(login);
226+
+ }
227+
+ else if(strcasecompare("default", tok)) {
228+
+ state = HOSTVALID;
229+
+ retcode = NETRC_SUCCESS; /* we did find our host */
230+
+ Curl_safefree(password);
231+
+ if(!specific_login)
232+
+ Curl_safefree(login);
233+
+ }
234+
+ if((found == (FOUND_PASSWORD|FOUND_LOGIN)) && our_login) {
235+
+ done = TRUE;
236+
+ break;
237+
+ }
238+
+ break;
239+
+ } /* switch (state) */
240+
tok = ++tok_end;
241+
}
242+
} /* while Curl_get_line() */
243+
244+
out:
245+
Curl_dyn_free(&buf);
246+
+ if(!retcode) {
247+
+ if(!password && our_login) {
248+
+ /* success without a password, set a blank one */
249+
+ password = strdup("");
250+
+ if(!password)
251+
+ retcode = 1; /* out of memory */
252+
+ }
253+
+ else if(!login && !password)
254+
+ /* a default with no credentials */
255+
+ retcode = NETRC_FILE_MISSING;
256+
+ }
257+
if(!retcode) {
258+
/* success */
259+
- if(login_alloc) {
260+
- if(*loginp)
261+
- free(*loginp);
262+
+ if(!specific_login)
263+
*loginp = login;
264+
- }
265+
- if(password_alloc) {
266+
- if(*passwordp)
267+
- free(*passwordp);
268+
- *passwordp = password;
269+
- }
270+
+ *passwordp = password;
271+
}
272+
else {
273+
- if(login_alloc)
274+
+ if(!specific_login)
275+
free(login);
276+
- if(password_alloc)
277+
- free(password);
278+
+ free(password);
279+
}
280+
fclose(file);
281+
}
282+
diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c
283+
index 2814d31..51c7f88 100644
284+
--- a/Utilities/cmcurl/lib/url.c
285+
+++ b/Utilities/cmcurl/lib/url.c
286+
@@ -2698,6 +2698,7 @@ static CURLcode override_login(struct Curl_easy *data,
287+
url_provided = TRUE;
288+
}
289+
290+
+ if(!*passwdp) {
291+
ret = Curl_parsenetrc(conn->host.name,
292+
userp, passwdp,
293+
data->set.str[STRING_NETRC_FILE]);
294+
@@ -2729,6 +2730,7 @@ static CURLcode override_login(struct Curl_easy *data,
295+
if(!*userp)
296+
return CURLE_OUT_OF_MEMORY;
297+
}
298+
+ }
299+
}
300+
#endif
301+
302+
--
303+
2.45.2
304+

SPECS/cmake/cmake.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
Summary: Cmake
33
Name: cmake
44
Version: 3.30.3
5-
Release: 2%{?dist}
5+
Release: 3%{?dist}
66
License: BSD AND LGPLv2+
77
Vendor: Microsoft Corporation
88
Distribution: Azure Linux
@@ -14,6 +14,7 @@ Patch0: 0001-manually-recreating-patches.patch
1414
Patch1: CVE-2024-6197.patch
1515
Patch2: CVE-2024-6874.patch
1616
Patch3: CVE-2024-8096.patch
17+
Patch4: CVE-2024-11053.patch
1718
BuildRequires: bzip2
1819
BuildRequires: bzip2-devel
1920
BuildRequires: curl
@@ -93,6 +94,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
9394
%{_libdir}/rpm/macros.d/macros.cmake
9495

9596
%changelog
97+
* Wed Jan 15 2025 Henry Beberman <henry.beberman@microsoft.com> - 3.30.3-3
98+
- Patch vendored curl for CVE-2024-11053
99+
96100
* Thu Sep 26 2024 Jonathan Behrens <jbehrens@microsoft.com> - 3.30.3-2
97101
- Fix CVE-2024-6197, CVE-2024-6874, and CVE-2024-8096
98102

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,8 @@ check-debuginfo-0.15.2-1.azl3.aarch64.rpm
4949
chkconfig-1.25-1.azl3.aarch64.rpm
5050
chkconfig-debuginfo-1.25-1.azl3.aarch64.rpm
5151
chkconfig-lang-1.25-1.azl3.aarch64.rpm
52-
cmake-3.30.3-2.azl3.aarch64.rpm
53-
cmake-debuginfo-3.30.3-2.azl3.aarch64.rpm
52+
cmake-3.30.3-3.azl3.aarch64.rpm
53+
cmake-debuginfo-3.30.3-3.azl3.aarch64.rpm
5454
coreutils-9.4-6.azl3.aarch64.rpm
5555
coreutils-debuginfo-9.4-6.azl3.aarch64.rpm
5656
coreutils-lang-9.4-6.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,8 +52,8 @@ check-debuginfo-0.15.2-1.azl3.x86_64.rpm
5252
chkconfig-1.25-1.azl3.x86_64.rpm
5353
chkconfig-debuginfo-1.25-1.azl3.x86_64.rpm
5454
chkconfig-lang-1.25-1.azl3.x86_64.rpm
55-
cmake-3.30.3-2.azl3.x86_64.rpm
56-
cmake-debuginfo-3.30.3-2.azl3.x86_64.rpm
55+
cmake-3.30.3-3.azl3.x86_64.rpm
56+
cmake-debuginfo-3.30.3-3.azl3.x86_64.rpm
5757
coreutils-9.4-6.azl3.x86_64.rpm
5858
coreutils-debuginfo-9.4-6.azl3.x86_64.rpm
5959
coreutils-lang-9.4-6.azl3.x86_64.rpm

0 commit comments

Comments
 (0)