From 945e8d91920e674c72d724b26975f13fc029553d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:03:18 +0200 Subject: [PATCH 1/4] Move the autoreconf invocation to %build section The %prep section is supposed to extract and possibly patch the sources. In particular, the code provided by the package should not be called here, but only in %build section. This keeps %prep quick and allows the code provided by upstream to be inspected before running it. Also drop space after the redirection operator to match the style elsewhere in the spec file. Having symmetrical whitespace around the operator makes it look like a binary operator, which it very much is not. --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 174562f..989b981 100644 --- a/curl.spec +++ b/curl.spec @@ -218,7 +218,7 @@ be installed. # disable test 1801 # -printf "1801\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -238,10 +238,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +%build # regenerate the configure script and Makefile.in files autoreconf -fiv -%build mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ From 2f5735841aaabae90cb6249decb2d4501fa87cfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:10:22 +0200 Subject: [PATCH 2/4] Make curl-config arch-independent The final /usr/bin/curl-config file had a comment like "prefix=/usr # used in /usr/lib64" or "prefix=/usr # used in /usr/lib", depending on the arch. This causes the following error on upgrades from f40 for people who have both libcurl-devel.i686 and libcurl-devel.x86_64 installed: Transaction failed: Rpm transaction failed. - file /usr/bin/curl-config conflicts between attempted installs of libcurl-devel-8.9.1-2.fc41.i686 and libcurl-devel-8.9.1-2.fc41.x86_64 The comment is actually not useful at all after the variable is expanded, since it's not clear what is meant by "used in /usr/lib64". Just drop it. With this change, the packages are constinstallable again. --- curl.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/curl.spec b/curl.spec index 989b981..cb1eccd 100644 --- a/curl.spec +++ b/curl.spec @@ -238,6 +238,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in + %build # regenerate the configure script and Makefile.in files autoreconf -fiv From 8e911d564bccb29fe49658ce693ae16847f80212 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 12 Dec 2024 09:17:41 +0100 Subject: [PATCH 3/4] Resolves: CVE-2024-9681 - fix HSTS subdomain overwrites parent cache entry --- 0002-curl-8.10.1-CVE-2024-9681.patch | 115 +++++++++++++++++++++++++++ curl.spec | 16 ++-- 2 files changed, 126 insertions(+), 5 deletions(-) create mode 100644 0002-curl-8.10.1-CVE-2024-9681.patch diff --git a/0002-curl-8.10.1-CVE-2024-9681.patch b/0002-curl-8.10.1-CVE-2024-9681.patch new file mode 100644 index 0000000..9dff16d --- /dev/null +++ b/0002-curl-8.10.1-CVE-2024-9681.patch @@ -0,0 +1,115 @@ +From dd2859d77ddaf29516b8dce300b0b1fd4839d3f5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 8 Oct 2024 11:20:40 +0200 +Subject: [PATCH] hsts: avoid the local buffer and memcpy on lookup + +Closes #15190 + +(cherry picked from commit 60d8663afb0fb7f113604404c50840dfe9320039) + +hsts: improve subdomain handling + +- on load, only replace existing HSTS entries if there is a full host + match + +- on matching, prefer a full host match and secondary the longest tail + subdomain match + +Closes #15210 + +(cherry picked from commit a94973805df96269bf3f3bf0a20ccb9887313316) +--- + lib/hsts.c | 30 ++++++++++++++++-------------- + tests/data/test1660 | 2 +- + 2 files changed, 17 insertions(+), 15 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 8cd77ae3c..b4cced857 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -249,24 +249,23 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, + struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + bool subdomain) + { ++ struct stsentry *bestsub = NULL; + if(h) { +- char buffer[MAX_HSTS_HOSTLEN + 1]; + time_t now = time(NULL); + size_t hlen = strlen(hostname); + struct Curl_llist_element *e; + struct Curl_llist_element *n; ++ size_t blen = 0; + + if((hlen > MAX_HSTS_HOSTLEN) || !hlen) + return NULL; +- memcpy(buffer, hostname, hlen); + if(hostname[hlen-1] == '.') + /* remove the trailing dot */ + --hlen; +- buffer[hlen] = 0; +- hostname = buffer; + + for(e = h->list.head; e; e = n) { + struct stsentry *sts = e->ptr; ++ size_t ntail; + n = e->next; + if(sts->expires <= now) { + /* remove expired entries */ +@@ -274,20 +273,23 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + hsts_free(sts); + continue; + } +- if(subdomain && sts->includeSubDomains) { +- size_t ntail = strlen(sts->host); +- if(ntail < hlen) { +- size_t offs = hlen - ntail; +- if((hostname[offs-1] == '.') && +- strncasecompare(&hostname[offs], sts->host, ntail)) +- return sts; ++ ntail = strlen(sts->host); ++ if((subdomain && sts->includeSubDomains) && (ntail < hlen)) { ++ size_t offs = hlen - ntail; ++ if((hostname[offs-1] == '.') && ++ strncasecompare(&hostname[offs], sts->host, ntail) && ++ (ntail > blen)) { ++ /* save the tail match with the longest tail */ ++ bestsub = sts; ++ blen = ntail; + } + } +- if(strcasecompare(hostname, sts->host)) ++ /* avoid strcasecompare because the host name is not null terminated */ ++ if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen)) + return sts; + } + } +- return NULL; /* no match */ ++ return bestsub; + } + + /* +@@ -439,7 +441,7 @@ static CURLcode hsts_add(struct hsts *h, char *line) + e = Curl_hsts(h, p, subdomain); + if(!e) + result = hsts_create(h, p, subdomain, expires); +- else { ++ else if(strcasecompare(p, e->host)) { + /* the same hostname, use the largest expire time */ + if(expires > e->expires) + e->expires = expires; +diff --git a/tests/data/test1660 b/tests/data/test1660 +index f86126d19..4b6f9615c 100644 +--- a/tests/data/test1660 ++++ b/tests/data/test1660 +@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797 + Input 12: error 43 + Input 13: error 43 + Input 14: error 43 +-3.example.com [example.com]: 1569905261 includeSubDomains ++3.example.com [3.example.com]: 1569905261 includeSubDomains + 3.example.com [example.com]: 1569905261 includeSubDomains + foo.example.com [example.com]: 1569905261 includeSubDomains + 'foo.xample.com' is not HSTS +-- +2.47.1 + diff --git a/curl.spec b/curl.spec index cb1eccd..a310d42 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,13 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix crashes with transmission due to SIGPIPE +# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 +Patch001: 0001-curl-8.9.1-sigpipe.patch + +# fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681) +Patch002: 0002-curl-8.10.1-CVE-2024-9681.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -25,10 +32,6 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch -# Fix crashes with transmission due to SIGPIPE -# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 -Patch001: 0001-curl-8.9.1-sigpipe.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -412,6 +415,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Dec 12 2024 Jan Macku - 8.9.1-3 +- fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681) + * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 0070f1ed4998a28c2e7a2789aeee96d60dec6dfc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 17 Sep 2025 13:26:24 +0200 Subject: [PATCH 4/4] Resolves: CVE-2025-9086 - Out of bounds read for cookie path --- 0003-curl-8.9.1-CVE-2025-9086.patch | 53 +++++++++++++++++++++++++++++ curl.spec | 8 ++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 0003-curl-8.9.1-CVE-2025-9086.patch diff --git a/0003-curl-8.9.1-CVE-2025-9086.patch b/0003-curl-8.9.1-CVE-2025-9086.patch new file mode 100644 index 0000000..a5e486b --- /dev/null +++ b/0003-curl-8.9.1-CVE-2025-9086.patch @@ -0,0 +1,53 @@ +From 5dd433a190c1003bd78cc5a3e9f8a5827cd97516 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Aug 2025 20:23:05 +0200 +Subject: [PATCH] cookie: don't treat the leading slash as trailing + +If there is only a leading slash in the path, keep that. Also add an +assert to make sure the path is never blank. + +Reported-by: Google Big Sleep +Closes #18266 + +(cherry picked from commit c6ae07c6a541e0e96d0040afb62b45dd37711300) +--- + lib/cookie.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index b0d8d84be..1db308372 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -317,7 +317,7 @@ static char *sanitize_cookie_path(const char *cookie_path) + } + + /* convert /hoge/ to /hoge */ +- if(len && new_path[len - 1] == '/') { ++ if(len > 1 && new_path[len - 1] == '/') { + new_path[len - 1] = 0x0; + } + +@@ -1076,7 +1076,7 @@ Curl_cookie_add(struct Curl_easy *data, + clist->spath && co->spath && /* both have paths */ + clist->secure && !co->secure && !secure) { + size_t cllen; +- const char *sep; ++ const char *sep = NULL; + + /* + * A non-secure cookie may not overlay an existing secure cookie. +@@ -1085,8 +1085,9 @@ Curl_cookie_add(struct Curl_easy *data, + * "/loginhelper" is ok. + */ + +- sep = strchr(clist->spath + 1, '/'); +- ++ DEBUGASSERT(clist->spath[0]); ++ if(clist->spath[0]) ++ sep = strchr(clist->spath + 1, '/'); + if(sep) + cllen = sep - clist->spath; + else +-- +2.51.0 + diff --git a/curl.spec b/curl.spec index a310d42..157a3e9 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -23,6 +23,9 @@ Patch001: 0001-curl-8.9.1-sigpipe.patch # fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681) Patch002: 0002-curl-8.10.1-CVE-2024-9681.patch +# fix Out of bounds read for cookie path (CVE-2025-9086) +Patch003: 0003-curl-8.9.1-CVE-2025-9086.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -415,6 +418,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 17 2025 Jan Macku - 8.9.1-4 +- fix Out of bounds read for cookie path (CVE-2025-9086) + * Thu Dec 12 2024 Jan Macku - 8.9.1-3 - fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681)