Resolves: CVE-2025-10148 - predictable WebSocket mask

Resolves: #2373760

0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch

@@ -0,0 +1,73 @@
+From 0a4f5c593d785c4cafa322a5976d4c2b08f8cfa1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 17 Dec 2024 07:52:06 +0100
+Subject: [PATCH] tool_formparse: accept digits in --form type= strings
+
+Adjusted test 186 to verify.
+
+Regression in 9664d5a5475fdc66, shipped in 8.11.1
+
+Reported-by: IcedCoffeee on github
+Assisted-by: Jay Satiro
+Fixes #15761
+Closes #15762
+
+(cherry picked from commit f7e065f314f9d307af8f194a16c95cc754fefd4a)
+---
+ src/tool_formparse.c | 5 +++--
+ tests/data/test186   | 6 +++---
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/tool_formparse.c b/src/tool_formparse.c
+index ddbf1b1a7..814f240e6 100644
+--- a/src/tool_formparse.c
++++ b/src/tool_formparse.c
+@@ -495,14 +495,15 @@ static int get_param_part(struct OperationConfig *config, char endchar,
+       ;
+ 
+     if(!endct && checkprefix("type=", p)) {
++      size_t tlen;
+       for(p += 5; ISSPACE(*p); p++)
+         ;
+       /* set type pointer */
+       type = p;
+ 
+       /* find end of content-type */
+-      while(*p && (ISALPHA(*p) || (*p == '/') || (*p == '-')))
+-        p++;
++      tlen = strcspn(p, "()<>@,;:\\\"[]?=\r\n ");
++      p += tlen;
+       endct = p;
+       sep = *p;
+     }
+diff --git a/tests/data/test186 b/tests/data/test186
+index f5c071946..006de7904 100644
+--- a/tests/data/test186
++++ b/tests/data/test186
+@@ -31,7 +31,7 @@ http
+ HTTP RFC1867-type formposting with types on text fields
+ </name>
+ <command>
+-http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -F "name=daniel;type=moo/foo" -F "html= <body>hello</body>;type=text/html;charset=verymoo"
++http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -F "name=daniel;type=moo/foo-.4" -F "html= <body>hello</body>;type=text/html;charset=verymoo"
+ </command>
+ # We create this file before the command is invoked!
+ </client>
+@@ -46,12 +46,12 @@ POST /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Content-Length: 338
++Content-Length: 341
+ Content-Type: multipart/form-data; boundary=----------------------------212d9006ceb5
+ 
+ ------------------------------212d9006ceb5
+ Content-Disposition: form-data; name="name"
+-Content-Type: moo/foo
++Content-Type: moo/foo-.4
+ 
+ daniel
+ ------------------------------212d9006ceb5
+-- 
+2.49.0
+

0004-curl-8.11.1-CVE-2025-9086.patch

@@ -0,0 +1,53 @@
+From aa1c6961db8df9c50850b48e3d675066c54fa510 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+
+(cherry picked from commit c6ae07c6a541e0e96d0040afb62b45dd37711300)
+---
+ lib/cookie.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 773e5357d..7bf8b429f 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -304,7 +304,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
++  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+@@ -1007,7 +1007,7 @@ replace_existing(struct Curl_easy *data,
+          clist->spath && co->spath && /* both have paths */
+          clist->secure && !co->secure && !secure) {
+         size_t cllen;
+-        const char *sep;
++        const char *sep = NULL;
+ 
+         /*
+          * A non-secure cookie may not overlay an existing secure cookie.
+@@ -1016,8 +1016,9 @@ replace_existing(struct Curl_easy *data,
+          * "/loginhelper" is ok.
+          */
+ 
+-        sep = strchr(clist->spath + 1, '/');
+-
++        DEBUGASSERT(clist->spath[0]);
++        if(clist->spath[0])
++          sep = strchr(clist->spath + 1, '/');
+         if(sep)
+           cllen = sep - clist->spath;
+         else
+-- 
+2.51.0
+

0005-curl-8.11.1-CVE-2025-10148.patch

@@ -0,0 +1,58 @@
+From 537b89d02f7200b3b81c833548d597a13aaf1ecf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 8 Sep 2025 14:14:15 +0200
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+
+Reported-by: Calvin Ruocco
+Closes #18496
+
+(cherry picked from commit 84db7a9eae8468c0445b15aa806fa7fa806fa0f2)
+---
+ lib/ws.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ws.c b/lib/ws.c
+index 3d739a538..d6aadc167 100644
+--- a/lib/ws.c
++++ b/lib/ws.c
+@@ -545,6 +545,7 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   unsigned char firstbyte = 0;
+   unsigned char opcode;
+   unsigned char head[14];
++  CURLcode result;
+   size_t hlen;
+   ssize_t n;
+ 
+@@ -618,6 +619,13 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+ 
++  /* 4 bytes random */
++
++  result = Curl_rand(data, (unsigned char *)&enc->mask,
++                     sizeof(enc->mask));
++  if(result)
++    return result;
++
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -808,14 +816,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+ 
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-  infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
++  infof(data, "[WS] Received 101, switch to WebSocket");
+ 
+   /* Install our client writer that decodes WS frames payload */
+   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+-- 
+2.51.0
+

curl.spec

@@ -7,7 +7,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 8.11.1
-Release: 4%{?dist}
+Release: 6%{?dist}
 License: curl
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@@ -25,6 +25,15 @@ Patch1: 0001-curl-8.11.1-eventfd.patch
 # Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7
 Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch
 
+# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2373760
+Patch3: 0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch
+
+# Fix Out of bounds read for cookie path (CVE-2025-9086)
+Patch4: 0004-curl-8.11.1-CVE-2025-9086.patch
+
+# Fix predictable WebSocket mask (CVE-2025-10148)
+Patch5: 0005-curl-8.11.1-CVE-2025-10148.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -419,6 +428,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Sep 17 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-6
+- Fix Out of bounds read for cookie path (CVE-2025-9086)
+- Fix predictable WebSocket mask (CVE-2025-10148)
+
+* Thu Jun 19 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-5
+- properly parse 'type=' in -F command line arguments (#2373760)
+
 * Fri Jan 31 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-4
 - TLS: check connection for SSL use, not handler (#2324130#c7)