[AUTO-CHERRYPICK] [Medium] patch mysql to fix CVE-2024-9681 - branch main (#12156)

CBL-Mariner-Bot · jykanase · web-flow · commit fff806338d5f · 2025-02-02T10:10:31.000-05:00
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
diff --git a/SPECS/mysql/CVE-2024-9681.patch b/SPECS/mysql/CVE-2024-9681.patch
@@ -0,0 +1,64 @@
+From 2f9a68a817e71e9ec40a2fc17269eb9367aa520a Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Sun, 26 Jan 2025 14:06:42 +0000
+Subject: [PATCH] CVE-2024-9681
+
+Backported form: https://github.com/curl/curl/commit/a94973805df96269bf
+---
+ extra/curl/curl-8.9.1/lib/hsts.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/extra/curl/curl-8.9.1/lib/hsts.c b/extra/curl/curl-8.9.1/lib/hsts.c
+index 8cd77ae3..6e2599b1 100644
+--- a/extra/curl/curl-8.9.1/lib/hsts.c
++++ b/extra/curl/curl-8.9.1/lib/hsts.c
+@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;
+   if(h) {
+     char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -279,15 +281,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         if(ntail < hlen) {
+           size_t offs = hlen - ntail;
+           if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
++             strncasecompare(&hostname[offs], sts->host, ntail) &&
++             (ntail > blen)) {
++            /* save the tail match with the longest tail */
++            bestsub = sts;
++            blen = ntail;
++          }
+         }
+       }
+       if(strcasecompare(hostname, sts->host))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub;
+ }
+ 
+ /*
+@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(strcasecompare(p, e->host)) {
+       /* the same hostname, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+-- 
+2.45.2
+
diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec
@@ -1,7 +1,7 @@
 Summary:        MySQL.
 Name:           mysql
 Version:        8.0.40
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2 with exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -15,6 +15,7 @@ Patch1:         CVE-2024-2410.patch
 # AZL's OpenSSL builds with the "no-chacha" option making all ChaCha
 # ciphers unavailable.
 Patch2:         fix-tests-for-unsupported-chacha-ciphers.patch
+Patch3:         CVE-2024-9681.patch
 BuildRequires:  cmake
 BuildRequires:  libtirpc-devel
 BuildRequires:  openssl-devel
@@ -114,6 +115,9 @@ fi
 %{_libdir}/pkgconfig/mysqlclient.pc
 
 %changelog
+* Thu Jan 30 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 8.0.40-3
+- Fix CVE-2024-9681
+
 * Tue Oct 29 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.0.40-2
 - Patched CVE-2024-2410.
 
