[AUTO-CHERRYPICK] cmake: Patch CVE-2024-2398, CVE-2024-7264 in bundled curl and CVE-2024-28182 in bundled nghttp2 - branch main (#11231)

Co-authored-by: Vince Perri <5596945+vinceaperri@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/cmake/CVE-2024-2398.patch

@@ -0,0 +1,94 @@
+From c9adb2114e9d9d4a50ff273234c2a1f8518aafd1 Mon Sep 17 00:00:00 2001
+From: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
+Date: Wed, 20 Nov 2024 22:38:53 +0000
+Subject: [PATCH] http2: push headers better cleanup
+
+Original patch: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6
+---
+ Utilities/cmcurl/lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/http2.c b/Utilities/cmcurl/lib/http2.c
+index f194c18b..50b8cd54 100644
+--- a/Utilities/cmcurl/lib/http2.c
++++ b/Utilities/cmcurl/lib/http2.c
+@@ -116,6 +116,15 @@ static int http2_getsock(struct Curl_easy *data,
+   return bitmap;
+ }
+ 
++static void free_push_headers(struct HTTP *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ /*
+  * http2_stream_free() free HTTP2 stream related data
+  */
+@@ -123,11 +132,7 @@ static void http2_stream_free(struct HTTP *http)
+ {
+   if(http) {
+     Curl_dyn_free(&http->header_recvbuf);
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
++    free_push_headers(http);
+   }
+ }
+ 
+@@ -559,7 +564,6 @@ static int push_promise(struct Curl_easy *data,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     struct http_conn *httpc;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = duphandle(data);
+     if(!newhandle) {
+@@ -595,11 +599,7 @@ static int push_promise(struct Curl_easy *data,
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+ 
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1033,10 +1033,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+             stream->push_headers_alloc) {
+       char **headp;
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+@@ -1204,11 +1204,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
+   Curl_dyn_free(&http->trailer_recvbuf);
+   if(http->push_headers) {
+     /* if they weren't used and then freed before */
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
++    free_push_headers(http);
+   }
+ 
+   if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
+-- 
+2.34.1
+

SPECS/cmake/CVE-2024-28182.patch

@@ -0,0 +1,108 @@
+From 875373fb67097281d4a4ff461e531b9bef947818 Mon Sep 17 00:00:00 2001
+From: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
+Date: Thu, 21 Nov 2024 14:11:36 +0000
+Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
+
+Original patch: https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
+---
+ Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h |  7 ++++++-
+ Utilities/cmnghttp2/lib/nghttp2_helper.c           |  2 ++
+ Utilities/cmnghttp2/lib/nghttp2_session.c          |  8 ++++++++
+ Utilities/cmnghttp2/lib/nghttp2_session.h          | 10 ++++++++++
+ 4 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
+index e4e1d4fc..a140199a 100644
+--- a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
++++ b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
+@@ -428,7 +428,12 @@ typedef enum {
+    * exhaustion on server side to send these frames forever and does
+    * not read network.
+    */
+-  NGHTTP2_ERR_FLOODED = -904
++  NGHTTP2_ERR_FLOODED = -904,
++  /**
++   * When a local endpoint receives too many CONTINUATION frames
++   * following a HEADER frame.
++   */
++  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
+ } nghttp2_error;
+ 
+ /**
+diff --git a/Utilities/cmnghttp2/lib/nghttp2_helper.c b/Utilities/cmnghttp2/lib/nghttp2_helper.c
+index 91136a61..f150ab54 100644
+--- a/Utilities/cmnghttp2/lib/nghttp2_helper.c
++++ b/Utilities/cmnghttp2/lib/nghttp2_helper.c
+@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_code) {
+   case NGHTTP2_ERR_FLOODED:
+     return "Flooding was detected in this HTTP/2 session, and it must be "
+            "closed";
++  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
++    return "Too many CONTINUATION frames following a HEADER frame";
+   default:
+     return "Unknown error code";
+   }
+diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.c b/Utilities/cmnghttp2/lib/nghttp2_session.c
+index a3c0b708..f02e3f95 100644
+--- a/Utilities/cmnghttp2/lib/nghttp2_session.c
++++ b/Utilities/cmnghttp2/lib/nghttp2_session.c
+@@ -463,6 +463,7 @@ static int session_new(nghttp2_session **session_ptr,
+ 
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
++  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
+ 
+   if (option) {
+     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -6297,6 +6298,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           }
+         }
+         session_inbound_frame_reset(session);
++
++        session->num_continuations = 0;
+       }
+       break;
+     }
+@@ -6418,6 +6421,11 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+       }
+ #endif /* DEBUGBUILD */
+ 
++ 
++      if (++session->num_continuations > session->max_continuations) {
++        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
++      }
++
+       readlen = inbound_frame_buf_read(iframe, in, last);
+       in += readlen;
+ 
+diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.h b/Utilities/cmnghttp2/lib/nghttp2_session.h
+index b75294c3..f53acac7 100644
+--- a/Utilities/cmnghttp2/lib/nghttp2_session.h
++++ b/Utilities/cmnghttp2/lib/nghttp2_session.h
+@@ -107,6 +107,10 @@ typedef struct {
+ #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+ #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+ 
++/* The default max number of CONTINUATION frames following an incoming
++   HEADER frame. */
++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
++
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+   /* Receiving frame header */
+@@ -277,6 +281,12 @@ struct nghttp2_session {
+   /* The maximum length of header block to send.  Calculated by the
+      same way as nghttp2_hd_deflate_bound() does. */
+   size_t max_send_header_block_length;
++  /* The maximum number of CONTINUATION frames following an incoming
++     HEADER frame. */
++  size_t max_continuations;
++  /* The number of CONTINUATION frames following an incoming HEADER
++     frame.  This variable is reset when END_HEADERS flag is seen. */
++  size_t num_continuations;
+   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+   uint32_t next_stream_id;
+   /* The last stream ID this session initiated.  For client session,
+-- 
+2.34.1
+

SPECS/cmake/CVE-2024-7264.patch

@@ -0,0 +1,121 @@
+From e5daecf74dd60974e7ae91e432032e6cfdaaf15e Mon Sep 17 00:00:00 2001
+From: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
+Date: Thu, 21 Nov 2024 14:52:49 +0000
+Subject: [PATCH 1/2] x509asn1: clean up GTime2str
+
+Original patch: https://github.com/curl/curl/commit/3c914bc680155b321
+---
+ Utilities/cmcurl/lib/x509asn1.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/x509asn1.c b/Utilities/cmcurl/lib/x509asn1.c
+index 281c9724..b1160102 100644
+--- a/Utilities/cmcurl/lib/x509asn1.c
++++ b/Utilities/cmcurl/lib/x509asn1.c
+@@ -469,7 +469,7 @@ static const char *GTime2str(const char *beg, const char *end)
+   /* Convert an ASN.1 Generalized time to a printable string.
+      Return the dynamically allocated string, or NULL if an error occurs. */
+ 
+-  for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
++  for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
+     ;
+ 
+   /* Get seconds digits. */
+@@ -488,17 +488,22 @@ static const char *GTime2str(const char *beg, const char *end)
+     return NULL;
+   }
+ 
+-  /* Scan for timezone, measure fractional seconds. */
++  /* timezone follows optional fractional seconds. */
+   tzp = fracp;
+-  fracl = 0;
++  fracl = 0; /* no fractional seconds detected so far */
+   if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+-    fracp++;
+-    do
++    /* Have fractional seconds, e.g. "[.,]\d+". How many? */
++    tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
++    while(tzp < end && ISDIGIT(*tzp))
+       tzp++;
+-    while(tzp < end && *tzp >= '0' && *tzp <= '9');
+-    /* Strip leading zeroes in fractional seconds. */
+-    for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
+-      ;
++    if(tzp == fracp) /* never looped, no digit after [.,] */
++      return CURLE_BAD_FUNCTION_ARGUMENT;
++    fracl = tzp - fracp - 1; /* number of fractional sec digits */
++    DEBUGASSERT(fracl > 0);
++    /* Strip trailing zeroes in fractional seconds.
++     * May reduce fracl to 0 if only '0's are present. */
++    while(fracl && fracp[fracl - 1] == '0')
++      fracl--;
+   }
+ 
+   /* Process timezone. */
+-- 
+2.34.1
+
+From 13e627cf5b98be84a8cead6e4518932dba7f2cb7 Mon Sep 17 00:00:00 2001
+From: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
+Date: Thu, 21 Nov 2024 15:02:39 +0000
+Subject: [PATCH 2/2] x509asn1: fixes for gtime2str
+
+Original patch: https://github.com/curl/curl/commit/27959ecce75cdb2
+---
+ Utilities/cmcurl/lib/x509asn1.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/x509asn1.c b/Utilities/cmcurl/lib/x509asn1.c
+index b1160102..ceb03e2a 100644
+--- a/Utilities/cmcurl/lib/x509asn1.c
++++ b/Utilities/cmcurl/lib/x509asn1.c
+@@ -493,12 +493,13 @@ static const char *GTime2str(const char *beg, const char *end)
+   fracl = 0; /* no fractional seconds detected so far */
+   if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+     /* Have fractional seconds, e.g. "[.,]\d+". How many? */
+-    tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
++    fracp++; /* should be a digit char or BAD ARGUMENT */
++    tzp = fracp;
+     while(tzp < end && ISDIGIT(*tzp))
+       tzp++;
+     if(tzp == fracp) /* never looped, no digit after [.,] */
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+-    fracl = tzp - fracp - 1; /* number of fractional sec digits */
++    fracl = tzp - fracp; /* number of fractional sec digits */
+     DEBUGASSERT(fracl > 0);
+     /* Strip trailing zeroes in fractional seconds.
+      * May reduce fracl to 0 if only '0's are present. */
+@@ -507,18 +508,24 @@ static const char *GTime2str(const char *beg, const char *end)
+   }
+ 
+   /* Process timezone. */
+-  if(tzp >= end)
+-    ;           /* Nothing to do. */
++  if(tzp >= end) {
++    tzp = "";
++    tzl = 0;
++  }
+   else if(*tzp == 'Z') {
+-    tzp = " GMT";
+-    end = tzp + 4;
++    sep = " ";
++    tzp = "GMT";
++    tzl = 3;
++  }
++  else if((*tzp == '+') || (*tzp == '-')) {
++    sep = " UTC";
++    tzl = end - tzp;
+   }
+   else {
+     sep = " ";
+-    tzp++;
++    tzl = end - tzp;
+   }
+ 
+-  tzl = end - tzp;
+   return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
+                        beg, beg + 4, beg + 6,
+                        beg + 8, beg + 10, sec1, sec2,
+-- 
+2.34.1
+

SPECS/cmake/cmake.spec

@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.21.4
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -29,6 +29,9 @@ Patch14:        CVE-2023-27538.patch
 Patch15:        CVE-2023-27535.patch
 Patch16:        CVE-2023-23916.patch
 Patch17:        CVE-2023-46218.patch
+Patch18:        CVE-2024-2398.patch
+Patch19:        CVE-2024-28182.patch
+Patch20:        CVE-2024-7264.patch
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
 BuildRequires:  curl
@@ -94,6 +97,10 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_prefix}/doc/%{name}-*/*
 
 %changelog
+* Thu Nov 21 2024 Vince Perri <viperri@microsoft.com> - 3.21.4-14
+- Patch CVE-2024-2398 and CVE-2024-7264 (bundled curl)
+- Patch CVE-2024-28182 (bundled nghttp2)
+
 * Thu Nov 14 2024 Sharath Srikanth Chellappa <sharathsr@microsoft.com> - 3.21.4-13
 - Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218.
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
 chkconfig-1.20-4.cm2.aarch64.rpm
 chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
 chkconfig-lang-1.20-4.cm2.aarch64.rpm
-cmake-3.21.4-13.cm2.aarch64.rpm
-cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm
+cmake-3.21.4-14.cm2.aarch64.rpm
+cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm
 coreutils-8.32-7.cm2.aarch64.rpm
 coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
 coreutils-lang-8.32-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
 chkconfig-1.20-4.cm2.x86_64.rpm
 chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
 chkconfig-lang-1.20-4.cm2.x86_64.rpm
-cmake-3.21.4-13.cm2.x86_64.rpm
-cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm
+cmake-3.21.4-14.cm2.x86_64.rpm
+cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm
 coreutils-8.32-7.cm2.x86_64.rpm
 coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
 coreutils-lang-8.32-7.cm2.x86_64.rpm