[AUTO-CHERRYPICK] Patch CVE-2024-24806 in libuv - branch main (#8148)

Co-authored-by: suresh-thelkar <suresh.thelkar@yahoo.com>

Author: CBL-Mariner-Bot

SPECS/libuv/CVE-2024-24806.patch

@@ -0,0 +1,53 @@
+From 2c127bf21e7c76e783944b3aae974167099cbad3 Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Mon, 19 Feb 2024 10:08:20 +0530
+Subject: [PATCH] Patch for CVE-2024-24806
+
+Upstream patch details are given below
+https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
+---
+ src/idna.c       | 5 +++--
+ test/test-idna.c | 4 ++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/idna.c b/src/idna.c
+index b44cb16..9526f85 100644
+--- a/src/idna.c
++++ b/src/idna.c
+@@ -307,8 +307,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
+       return rc;
+   }
+ 
+-  if (d < de)
+-    *d++ = '\0';
++  if (d >= de)
++	return UV_EINVAL;
+ 
++  *d++ = '\0';
+   return d - ds;  /* Number of bytes written. */
+ }
+diff --git a/test/test-idna.c b/test/test-idna.c
+index f4fad96..d079be5 100644
+--- a/test/test-idna.c
++++ b/test/test-idna.c
+@@ -99,6 +99,7 @@ TEST_IMPL(utf8_decode1) {
+ TEST_IMPL(utf8_decode1_overrun) {
+   const char* p;
+   char b[1];
++  char c[1];
+ 
+   /* Single byte. */
+   p = b;
+@@ -112,6 +113,9 @@ TEST_IMPL(utf8_decode1_overrun) {
+   ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1));
+   ASSERT_EQ(p, b + 1);
+ 
++  b[0] = 0x7F;
++  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 1, c, c + 1));
++
+   return 0;
+ }
+ 
+-- 
+2.34.1
+

SPECS/libuv/libuv.spec

@@ -1,13 +1,14 @@
 Summary:        Cross-platform asynchronous I/O
 Name:           libuv
 Version:        1.43.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT AND CC-BY
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://libuv.org/
 Source0:        https://dist.libuv.org/dist/v%{version}/%{name}-v%{version}.tar.gz
+Patch0:         CVE-2024-24806.patch
 BuildRequires:  build-essential
 BuildRequires:  coreutils
 %if %{with_check}
@@ -35,7 +36,7 @@ Group:          Development/Libraries
 %{summary}.
 
 %prep
-%setup -q -n %{name}-v%{version}
+%autosetup -p1 -n %{name}-v%{version}
 
 %build
 ./autogen.sh
@@ -75,6 +76,9 @@ sudo -u test make -k check
 %{_libdir}/%{name}.a
 
 %changelog
+* Mon Feb 19 2024 Suresh Thelkar <sthelkar@microsoft.com> - 1.43.0-2
+- Patch for CVE-2024-24806
+
 * Tue Jan 25 2022 Henry Li <lihl@microsoft.com> - 1.43.0-1
 - Upgrade to version 1.43.0
 - License Verified