[AUTO-CHERRYPICK] Patch CVE-2024-6197 in curl - branch main (#10397)

Co-authored-by: aadhar-agarwal <108542189+aadhar-agarwal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/curl/CVE-2024-6197.patch

@@ -0,0 +1,21 @@
+From 3a537a4db9e65e545ec45b1b5d5575ee09a2569d Mon Sep 17 00:00:00 2001
+From: z2_ <88509734+z2-2z@users.noreply.github.com>
+Date: Fri, 28 Jun 2024 14:45:47 +0200
+Subject: [PATCH] x509asn1: remove superfluous free()
+
+---
+ lib/vtls/x509asn1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index f71ab0b90a5931..1bc4243ddae343 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -390,7 +390,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end)
+         if(wc >= 0x00000800) {
+           if(wc >= 0x00010000) {
+             if(wc >= 0x00200000) {
+-              free(buf);
+               /* Invalid char. size for target encoding. */
+               return CURLE_WEIRD_SERVER_REPLY;
+             }

SPECS/curl/curl.spec

@@ -1,13 +1,14 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.8.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/NetworkingLibraries
 URL:            https://curl.haxx.se
 Source0:        https://curl.haxx.se/download/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-6197.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  nghttp2-devel
@@ -85,6 +86,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Wed Sep 4 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 8.8.0-2
+- Patch CVE-2024-6197
+
 * Mon Jul 15 2024 Muhammad Falak <mwani@microsoft.com> - 8.8.0-1
 - Bump version to 8.8.0 to address CVE-2024-2398
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.aarch64.rpm
 libssh2-devel-1.9.0-4.cm2.aarch64.rpm
 krb5-1.21.3-2.cm2.aarch64.rpm
 nghttp2-1.57.0-1.cm2.aarch64.rpm
-curl-8.8.0-1.cm2.aarch64.rpm
-curl-devel-8.8.0-1.cm2.aarch64.rpm
-curl-libs-8.8.0-1.cm2.aarch64.rpm
+curl-8.8.0-2.cm2.aarch64.rpm
+curl-devel-8.8.0-2.cm2.aarch64.rpm
+curl-libs-8.8.0-2.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 libxml2-2.10.4-3.cm2.aarch64.rpm
 libxml2-devel-2.10.4-3.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.x86_64.rpm
 libssh2-devel-1.9.0-4.cm2.x86_64.rpm
 krb5-1.21.3-2.cm2.x86_64.rpm
 nghttp2-1.57.0-1.cm2.x86_64.rpm
-curl-8.8.0-1.cm2.x86_64.rpm
-curl-devel-8.8.0-1.cm2.x86_64.rpm
-curl-libs-8.8.0-1.cm2.x86_64.rpm
+curl-8.8.0-2.cm2.x86_64.rpm
+curl-devel-8.8.0-2.cm2.x86_64.rpm
+curl-libs-8.8.0-2.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
 libxml2-2.10.4-3.cm2.x86_64.rpm
 libxml2-devel-2.10.4-3.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm
-curl-8.8.0-1.cm2.aarch64.rpm
-curl-debuginfo-8.8.0-1.cm2.aarch64.rpm
-curl-devel-8.8.0-1.cm2.aarch64.rpm
-curl-libs-8.8.0-1.cm2.aarch64.rpm
+curl-8.8.0-2.cm2.aarch64.rpm
+curl-debuginfo-8.8.0-2.cm2.aarch64.rpm
+curl-devel-8.8.0-2.cm2.aarch64.rpm
+curl-libs-8.8.0-2.cm2.aarch64.rpm
 Cython-debuginfo-0.29.33-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
 debugedit-debuginfo-5.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -49,10 +49,10 @@ createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
 cross-binutils-common-2.37-8.cm2.noarch.rpm
 cross-gcc-common-11.2.0-8.cm2.noarch.rpm
-curl-8.8.0-1.cm2.x86_64.rpm
-curl-debuginfo-8.8.0-1.cm2.x86_64.rpm
-curl-devel-8.8.0-1.cm2.x86_64.rpm
-curl-libs-8.8.0-1.cm2.x86_64.rpm
+curl-8.8.0-2.cm2.x86_64.rpm
+curl-debuginfo-8.8.0-2.cm2.x86_64.rpm
+curl-devel-8.8.0-2.cm2.x86_64.rpm
+curl-libs-8.8.0-2.cm2.x86_64.rpm
 Cython-debuginfo-0.29.33-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
 debugedit-debuginfo-5.0-2.cm2.x86_64.rpm