-
Notifications
You must be signed in to change notification settings - Fork 563
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cmake: patch CVE-2024-11053 (#11933)
- Loading branch information
Showing
4 changed files
with
313 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,304 @@ | ||
| From c67d69ef80e6d91d4124c704aceb667859d6a0df Mon Sep 17 00:00:00 2001 | ||
| From: Henry Beberman <[email protected]> | ||
| Date: Wed, 15 Jan 2025 21:26:44 +0000 | ||
| Subject: [PATCH] Backport patch for CVE-2024-11053 | ||
|
|
||
| Backport fix for CVE-2024-11053 from upstream commit to vendored libcurl 8.8.0 | ||
|
|
||
| From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001 | ||
| From: Daniel Stenberg <[email protected]> | ||
| Date: Fri, 15 Nov 2024 11:06:36 +0100 | ||
| Subject: [PATCH] netrc: address several netrc parser flaws | ||
|
|
||
| - make sure that a match that returns a username also returns a | ||
| password, that should be blank if no password is found | ||
|
|
||
| - fix handling of multiple logins for same host where the password/login | ||
| order might be reversed. | ||
|
|
||
| - reject credentials provided in the .netrc if they contain ASCII control | ||
| codes - if the used protocol does not support such (like HTTP and WS do) | ||
|
|
||
| --- | ||
| lib/netrc.c | 205 +++++++++++++++++++++++++++++----------------------- | ||
| lib/url.c | 2 + | ||
| 2 files changed, 116 insertions(+), 91 deletions(-) | ||
|
|
||
| diff --git a/Utilities/cmcurl/lib/netrc.c b/Utilities/cmcurl/lib/netrc.c | ||
| index cd2a284..83dd9eb 100644 | ||
| --- a/Utilities/cmcurl/lib/netrc.c | ||
| +++ b/Utilities/cmcurl/lib/netrc.c | ||
| @@ -49,6 +49,15 @@ enum host_lookup_state { | ||
| MACDEF | ||
| }; | ||
|
|
||
| +enum found_state { | ||
| + NONE, | ||
| + LOGIN, | ||
| + PASSWORD | ||
| +}; | ||
| + | ||
| +#define FOUND_LOGIN 1 | ||
| +#define FOUND_PASSWORD 2 | ||
| + | ||
| #define NETRC_FILE_MISSING 1 | ||
| #define NETRC_FAILED -1 | ||
| #define NETRC_SUCCESS 0 | ||
| @@ -66,11 +75,13 @@ static int parsenetrc(const char *host, | ||
| FILE *file; | ||
| int retcode = NETRC_FILE_MISSING; | ||
| char *login = *loginp; | ||
| - char *password = *passwordp; | ||
| + char *password = NULL; | ||
| bool specific_login = (login && *login != 0); | ||
| - bool login_alloc = FALSE; | ||
| - bool password_alloc = FALSE; | ||
| enum host_lookup_state state = NOTHING; | ||
| + enum found_state keyword = NONE; | ||
| + unsigned char found = 0; /* login + password found bits, as they can come in | ||
| + any order */ | ||
| + bool our_login = FALSE; /* found our login name */ | ||
|
|
||
| char state_login = 0; /* Found a login keyword */ | ||
| char state_password = 0; /* Found a password keyword */ | ||
| @@ -156,117 +167,129 @@ static int parsenetrc(const char *host, | ||
| } | ||
| } | ||
|
|
||
| - if((login && *login) && (password && *password)) { | ||
| - done = TRUE; | ||
| - break; | ||
| - } | ||
| - | ||
| switch(state) { | ||
| - case NOTHING: | ||
| - if(strcasecompare("macdef", tok)) { | ||
| - /* Define a macro. A macro is defined with the specified name; its | ||
| - contents begin with the next .netrc line and continue until a | ||
| - null line (consecutive new-line characters) is encountered. */ | ||
| - state = MACDEF; | ||
| - } | ||
| - else if(strcasecompare("machine", tok)) { | ||
| - /* the next tok is the machine name, this is in itself the | ||
| - delimiter that starts the stuff entered for this machine, | ||
| - after this we need to search for 'login' and | ||
| - 'password'. */ | ||
| - state = HOSTFOUND; | ||
| - } | ||
| - else if(strcasecompare("default", tok)) { | ||
| - state = HOSTVALID; | ||
| - retcode = NETRC_SUCCESS; /* we did find our host */ | ||
| - } | ||
| - break; | ||
| - case MACDEF: | ||
| - if(!strlen(tok)) { | ||
| - state = NOTHING; | ||
| - } | ||
| - break; | ||
| - case HOSTFOUND: | ||
| - if(strcasecompare(host, tok)) { | ||
| - /* and yes, this is our host! */ | ||
| - state = HOSTVALID; | ||
| - retcode = NETRC_SUCCESS; /* we did find our host */ | ||
| - } | ||
| - else | ||
| - /* not our host */ | ||
| - state = NOTHING; | ||
| - break; | ||
| - case HOSTVALID: | ||
| - /* we are now parsing sub-keywords concerning "our" host */ | ||
| - if(state_login) { | ||
| - if(specific_login) { | ||
| - state_our_login = !Curl_timestrcmp(login, tok); | ||
| + case NOTHING: | ||
| + if(strcasecompare("macdef", tok)) | ||
| + /* Define a macro. A macro is defined with the specified name; its | ||
| + contents begin with the next .netrc line and continue until a | ||
| + null line (consecutive new-line characters) is encountered. */ | ||
| + state = MACDEF; | ||
| + else if(strcasecompare("machine", tok)) { | ||
| + /* the next tok is the machine name, this is in itself the delimiter | ||
| + that starts the stuff entered for this machine, after this we | ||
| + need to search for 'login' and 'password'. */ | ||
| + state = HOSTFOUND; | ||
| + keyword = NONE; | ||
| + found = 0; | ||
| + our_login = FALSE; | ||
| + Curl_safefree(password); | ||
| + if(!specific_login) | ||
| + Curl_safefree(login); | ||
| } | ||
| - else if(!login || Curl_timestrcmp(login, tok)) { | ||
| - if(login_alloc) { | ||
| + else if(strcasecompare("default", tok)) { | ||
| + state = HOSTVALID; | ||
| + retcode = NETRC_SUCCESS; /* we did find our host */ | ||
| + } | ||
| + break; | ||
| + case MACDEF: | ||
| + if(!*tok) | ||
| + state = NOTHING; | ||
| + break; | ||
| + case HOSTFOUND: | ||
| + if(strcasecompare(host, tok)) { | ||
| + /* and yes, this is our host! */ | ||
| + state = HOSTVALID; | ||
| + retcode = NETRC_SUCCESS; /* we did find our host */ | ||
| + } | ||
| + else | ||
| + /* not our host */ | ||
| + state = NOTHING; | ||
| + break; | ||
| + case HOSTVALID: | ||
| + /* we are now parsing sub-keywords concerning "our" host */ | ||
| + if(keyword == LOGIN) { | ||
| + if(specific_login) | ||
| + our_login = !Curl_timestrcmp(login, tok); | ||
| + else { | ||
| + our_login = TRUE; | ||
| free(login); | ||
| - login_alloc = FALSE; | ||
| + login = strdup(tok); | ||
| + if(!login) { | ||
| + retcode = NETRC_FAILED; /* allocation failed */ | ||
| + goto out; | ||
| + } | ||
| } | ||
| - login = strdup(tok); | ||
| - if(!login) { | ||
| - retcode = NETRC_FAILED; /* allocation failed */ | ||
| - goto out; | ||
| - } | ||
| - login_alloc = TRUE; | ||
| + found |= FOUND_LOGIN; | ||
| + keyword = NONE; | ||
| } | ||
| - state_login = 0; | ||
| - } | ||
| - else if(state_password) { | ||
| - if((state_our_login || !specific_login) | ||
| - && (!password || Curl_timestrcmp(password, tok))) { | ||
| - if(password_alloc) { | ||
| - free(password); | ||
| - password_alloc = FALSE; | ||
| - } | ||
| + else if(keyword == PASSWORD) { | ||
| + free(password); | ||
| password = strdup(tok); | ||
| if(!password) { | ||
| retcode = NETRC_FAILED; /* allocation failed */ | ||
| goto out; | ||
| } | ||
| - password_alloc = TRUE; | ||
| + if(!specific_login || our_login) | ||
| + found |= FOUND_PASSWORD; | ||
| + keyword = NONE; | ||
| } | ||
| - state_password = 0; | ||
| - } | ||
| - else if(strcasecompare("login", tok)) | ||
| - state_login = 1; | ||
| - else if(strcasecompare("password", tok)) | ||
| - state_password = 1; | ||
| - else if(strcasecompare("machine", tok)) { | ||
| - /* ok, there's machine here go => */ | ||
| - state = HOSTFOUND; | ||
| - state_our_login = FALSE; | ||
| - } | ||
| - break; | ||
| - } /* switch (state) */ | ||
| + else if(strcasecompare("login", tok)) | ||
| + keyword = LOGIN; | ||
| + else if(strcasecompare("password", tok)) | ||
| + keyword = PASSWORD; | ||
| + else if(strcasecompare("machine", tok)) { | ||
| + /* a new machine here */ | ||
| + if(found & FOUND_PASSWORD) { | ||
| + done = TRUE; | ||
| + break; | ||
| + } | ||
| + state = HOSTFOUND; | ||
| + keyword = NONE; | ||
| + found = 0; | ||
| + Curl_safefree(password); | ||
| + if(!specific_login) | ||
| + Curl_safefree(login); | ||
| + } | ||
| + else if(strcasecompare("default", tok)) { | ||
| + state = HOSTVALID; | ||
| + retcode = NETRC_SUCCESS; /* we did find our host */ | ||
| + Curl_safefree(password); | ||
| + if(!specific_login) | ||
| + Curl_safefree(login); | ||
| + } | ||
| + if((found == (FOUND_PASSWORD|FOUND_LOGIN)) && our_login) { | ||
| + done = TRUE; | ||
| + break; | ||
| + } | ||
| + break; | ||
| + } /* switch (state) */ | ||
| tok = ++tok_end; | ||
| } | ||
| } /* while Curl_get_line() */ | ||
|
|
||
| out: | ||
| Curl_dyn_free(&buf); | ||
| + if(!retcode) { | ||
| + if(!password && our_login) { | ||
| + /* success without a password, set a blank one */ | ||
| + password = strdup(""); | ||
| + if(!password) | ||
| + retcode = 1; /* out of memory */ | ||
| + } | ||
| + else if(!login && !password) | ||
| + /* a default with no credentials */ | ||
| + retcode = NETRC_FILE_MISSING; | ||
| + } | ||
| if(!retcode) { | ||
| /* success */ | ||
| - if(login_alloc) { | ||
| - if(*loginp) | ||
| - free(*loginp); | ||
| + if(!specific_login) | ||
| *loginp = login; | ||
| - } | ||
| - if(password_alloc) { | ||
| - if(*passwordp) | ||
| - free(*passwordp); | ||
| - *passwordp = password; | ||
| - } | ||
| + *passwordp = password; | ||
| } | ||
| else { | ||
| - if(login_alloc) | ||
| + if(!specific_login) | ||
| free(login); | ||
| - if(password_alloc) | ||
| - free(password); | ||
| + free(password); | ||
| } | ||
| fclose(file); | ||
| } | ||
| diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c | ||
| index 2814d31..51c7f88 100644 | ||
| --- a/Utilities/cmcurl/lib/url.c | ||
| +++ b/Utilities/cmcurl/lib/url.c | ||
| @@ -2698,6 +2698,7 @@ static CURLcode override_login(struct Curl_easy *data, | ||
| url_provided = TRUE; | ||
| } | ||
|
|
||
| + if(!*passwdp) { | ||
| ret = Curl_parsenetrc(conn->host.name, | ||
| userp, passwdp, | ||
| data->set.str[STRING_NETRC_FILE]); | ||
| @@ -2729,6 +2730,7 @@ static CURLcode override_login(struct Curl_easy *data, | ||
| if(!*userp) | ||
| return CURLE_OUT_OF_MEMORY; | ||
| } | ||
| + } | ||
| } | ||
| #endif | ||
|
|
||
| -- | ||
| 2.45.2 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ | |
| Summary: Cmake | ||
| Name: cmake | ||
| Version: 3.30.3 | ||
| Release: 2%{?dist} | ||
| Release: 3%{?dist} | ||
| License: BSD AND LGPLv2+ | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -14,6 +14,7 @@ Patch0: 0001-manually-recreating-patches.patch | |
| Patch1: CVE-2024-6197.patch | ||
| Patch2: CVE-2024-6874.patch | ||
| Patch3: CVE-2024-8096.patch | ||
| Patch4: CVE-2024-11053.patch | ||
| BuildRequires: bzip2 | ||
| BuildRequires: bzip2-devel | ||
| BuildRequires: curl | ||
|
|
@@ -93,6 +94,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure | |
| %{_libdir}/rpm/macros.d/macros.cmake | ||
|
|
||
| %changelog | ||
| * Wed Jan 15 2025 Henry Beberman <[email protected]> - 3.30.3-3 | ||
| - Patch vendored curl for CVE-2024-11053 | ||
|
|
||
| * Thu Sep 26 2024 Jonathan Behrens <[email protected]> - 3.30.3-2 | ||
| - Fix CVE-2024-6197, CVE-2024-6874, and CVE-2024-8096 | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters