[AUTO-CHERRYPICK] Patch curl for CVE-2024-9681 [Medium] - branch main (#12664)

Co-authored-by: bhagyapathak <bhagyapathak@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/curl/CVE-2024-9681.patch

@@ -0,0 +1,64 @@
+diff --git a/lib/hsts.c b/lib/hsts.c
+index a5e7676..69841a2 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;
+   if(h) {
+     char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -279,15 +281,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         if(ntail < hlen) {
+           size_t offs = hlen - ntail;
+           if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
++	    strncasecompare(&hostname[offs], sts->host, ntail) &&
++            (ntail > blen)) {
++              /* save the tail match with the longest tail */
++              bestsub = sts;
++              blen = ntail;
++          }
+         }
+       }
+       if(strcasecompare(hostname, sts->host))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub; /* no match */
+ }
+ 
+ /*
+@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(strcasecompare(p, e->host)){
+       /* the same host name, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index f86126d..4b6f961 100644
+--- a/tests/data/test1660
++++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
++3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS

SPECS/curl/curl.spec

@@ -1,7 +1,7 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.8.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,7 @@ Source0:        https://curl.haxx.se/download/%{name}-%{version}.tar.gz
 Patch0:         CVE-2024-6197.patch
 Patch1:         CVE-2024-8096.patch
 Patch2:         CVE-2024-11053.patch
+Patch3:         CVE-2024-9681.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  nghttp2-devel
@@ -88,6 +89,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Wed Feb 26 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 8.8.0-5
+- Patch CVE-2024-9681
+
 * Wed Feb 12 2025 Mitch Zhu <mitchzhu@microsoft.com> - 8.8.0-4
 - Patch CVE-2024-11053
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.aarch64.rpm
 libssh2-devel-1.9.0-4.cm2.aarch64.rpm
 krb5-1.19.4-3.cm2.aarch64.rpm
 nghttp2-1.57.0-2.cm2.aarch64.rpm
-curl-8.8.0-4.cm2.aarch64.rpm
-curl-devel-8.8.0-4.cm2.aarch64.rpm
-curl-libs-8.8.0-4.cm2.aarch64.rpm
+curl-8.8.0-5.cm2.aarch64.rpm
+curl-devel-8.8.0-5.cm2.aarch64.rpm
+curl-libs-8.8.0-5.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 libxml2-2.10.4-6.cm2.aarch64.rpm
 libxml2-devel-2.10.4-6.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.x86_64.rpm
 libssh2-devel-1.9.0-4.cm2.x86_64.rpm
 krb5-1.19.4-3.cm2.x86_64.rpm
 nghttp2-1.57.0-2.cm2.x86_64.rpm
-curl-8.8.0-4.cm2.x86_64.rpm
-curl-devel-8.8.0-4.cm2.x86_64.rpm
-curl-libs-8.8.0-4.cm2.x86_64.rpm
+curl-8.8.0-5.cm2.x86_64.rpm
+curl-devel-8.8.0-5.cm2.x86_64.rpm
+curl-libs-8.8.0-5.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
 libxml2-2.10.4-6.cm2.x86_64.rpm
 libxml2-devel-2.10.4-6.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm
-curl-8.8.0-4.cm2.aarch64.rpm
-curl-debuginfo-8.8.0-4.cm2.aarch64.rpm
-curl-devel-8.8.0-4.cm2.aarch64.rpm
-curl-libs-8.8.0-4.cm2.aarch64.rpm
+curl-8.8.0-5.cm2.aarch64.rpm
+curl-debuginfo-8.8.0-5.cm2.aarch64.rpm
+curl-devel-8.8.0-5.cm2.aarch64.rpm
+curl-libs-8.8.0-5.cm2.aarch64.rpm
 Cython-debuginfo-0.29.33-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
 debugedit-debuginfo-5.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -49,10 +49,10 @@ createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
 cross-binutils-common-2.37-13.cm2.noarch.rpm
 cross-gcc-common-11.2.0-8.cm2.noarch.rpm
-curl-8.8.0-4.cm2.x86_64.rpm
-curl-debuginfo-8.8.0-4.cm2.x86_64.rpm
-curl-devel-8.8.0-4.cm2.x86_64.rpm
-curl-libs-8.8.0-4.cm2.x86_64.rpm
+curl-8.8.0-5.cm2.x86_64.rpm
+curl-debuginfo-8.8.0-5.cm2.x86_64.rpm
+curl-devel-8.8.0-5.cm2.x86_64.rpm
+curl-libs-8.8.0-5.cm2.x86_64.rpm
 Cython-debuginfo-0.29.33-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
 debugedit-debuginfo-5.0-2.cm2.x86_64.rpm