Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AUTO-CHERRYPICK] cmake: patch CVE-2024-11053 - branch main #11943

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+340 −5
Open

[AUTO-CHERRYPICK] cmake: patch CVE-2024-11053 - branch main #11943

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
331 changes: 331 additions & 0 deletions SPECS/cmake/CVE-2024-11053.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,331 @@
From 277c4661bd10b7f513c18f84b64431dad20c2722 Mon Sep 17 00:00:00 2001
From: Henry Beberman <[email protected]>
Date: Wed, 15 Jan 2025 01:03:08 +0000
Subject: [PATCH] Backport updated netrc parsing

Backport fix for CVE-2024-11053 from upstream commit to vendored libcurl 7.77.0

From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Fri, 15 Nov 2024 11:06:36 +0100
Subject: [PATCH] netrc: address several netrc parser flaws

- make sure that a match that returns a username also returns a
password, that should be blank if no password is found

- fix handling of multiple logins for same host where the password/login
order might be reversed.

- reject credentials provided in the .netrc if they contain ASCII control
codes - if the used protocol does not support such (like HTTP and WS do)

diff --git a/Utilities/cmcurl/lib/netrc.c b/Utilities/cmcurl/lib/netrc.c
index 13610bb..2c93c6e 100644
--- a/Utilities/cmcurl/lib/netrc.c
+++ b/Utilities/cmcurl/lib/netrc.c
@@ -42,9 +42,19 @@
enum host_lookup_state {
NOTHING,
HOSTFOUND, /* the 'machine' keyword was found */
- HOSTVALID /* this is "our" machine! */
+ HOSTVALID, /* this is "our" machine! */
+ MACDEF
};

+enum found_state {
+ NONE,
+ LOGIN,
+ PASSWORD
+};
+
+#define FOUND_LOGIN 1
+#define FOUND_PASSWORD 2
+
#define NETRC_FILE_MISSING 1
#define NETRC_FAILED -1
#define NETRC_SUCCESS 0
@@ -62,16 +72,14 @@ static int parsenetrc(const char *host,
FILE *file;
int retcode = NETRC_FILE_MISSING;
char *login = *loginp;
- char *password = *passwordp;
- bool specific_login = (login && *login != 0);
- bool login_alloc = FALSE;
- bool password_alloc = FALSE;
+ char *password = NULL;
+ bool specific_login = !!login; /* points to something */
enum host_lookup_state state = NOTHING;
-
- char state_login = 0; /* Found a login keyword */
- char state_password = 0; /* Found a password keyword */
- int state_our_login = FALSE; /* With specific_login, found *our* login
- name */
+ enum found_state keyword = NONE;
+ unsigned char found = 0; /* login + password found bits, as they can come in
+ any order */
+ bool our_login = FALSE; /* found our login name */
+ bool done = FALSE;

DEBUGASSERT(netrcfile);

@@ -90,110 +98,129 @@ static int parsenetrc(const char *host,
continue;
while(tok) {

- if((login && *login) && (password && *password)) {
- done = TRUE;
- break;
- }
-
switch(state) {
- case NOTHING:
- if(strcasecompare("machine", tok)) {
- /* the next tok is the machine name, this is in itself the
- delimiter that starts the stuff entered for this machine,
- after this we need to search for 'login' and
- 'password'. */
- state = HOSTFOUND;
- }
- else if(strcasecompare("default", tok)) {
- state = HOSTVALID;
- retcode = NETRC_SUCCESS; /* we did find our host */
- }
- break;
- case HOSTFOUND:
- if(strcasecompare(host, tok)) {
- /* and yes, this is our host! */
- state = HOSTVALID;
- retcode = NETRC_SUCCESS; /* we did find our host */
- }
- else
- /* not our host */
- state = NOTHING;
- break;
- case HOSTVALID:
- /* we are now parsing sub-keywords concerning "our" host */
- if(state_login) {
- if(specific_login) {
- state_our_login = strcasecompare(login, tok);
+ case NOTHING:
+ if(strcasecompare("macdef", tok))
+ /* Define a macro. A macro is defined with the specified name; its
+ contents begin with the next .netrc line and continue until a
+ null line (consecutive new-line characters) is encountered. */
+ state = MACDEF;
+ else if(strcasecompare("machine", tok)) {
+ /* the next tok is the machine name, this is in itself the delimiter
+ that starts the stuff entered for this machine, after this we
+ need to search for 'login' and 'password'. */
+ state = HOSTFOUND;
+ keyword = NONE;
+ found = 0;
+ our_login = FALSE;
+ Curl_safefree(password);
+ if(!specific_login)
+ Curl_safefree(login);
}
- else if(!login || strcmp(login, tok)) {
- if(login_alloc) {
+ else if(strcasecompare("default", tok)) {
+ state = HOSTVALID;
+ retcode = NETRC_SUCCESS; /* we did find our host */
+ }
+ break;
+ case MACDEF:
+ if(!*tok)
+ state = NOTHING;
+ break;
+ case HOSTFOUND:
+ if(strcasecompare(host, tok)) {
+ /* and yes, this is our host! */
+ state = HOSTVALID;
+ retcode = NETRC_SUCCESS; /* we did find our host */
+ }
+ else
+ /* not our host */
+ state = NOTHING;
+ break;
+ case HOSTVALID:
+ /* we are now parsing sub-keywords concerning "our" host */
+ if(keyword == LOGIN) {
+ if(specific_login)
+ our_login = !Curl_timestrcmp(login, tok);
+ else {
+ our_login = TRUE;
free(login);
- login_alloc = FALSE;
- }
- login = strdup(tok);
- if(!login) {
- retcode = NETRC_FAILED; /* allocation failed */
- goto out;
+ login = strdup(tok);
+ if(!login) {
+ retcode = NETRC_FAILED; /* allocation failed */
+ goto out;
+ }
}
- login_alloc = TRUE;
+ found |= FOUND_LOGIN;
+ keyword = NONE;
}
- state_login = 0;
- }
- else if(state_password) {
- if((state_our_login || !specific_login)
- && (!password || strcmp(password, tok))) {
- if(password_alloc) {
- free(password);
- password_alloc = FALSE;
- }
+ else if(keyword == PASSWORD) {
+ free(password);
password = strdup(tok);
if(!password) {
retcode = NETRC_FAILED; /* allocation failed */
goto out;
}
- password_alloc = TRUE;
+ if(!specific_login || our_login)
+ found |= FOUND_PASSWORD;
+ keyword = NONE;
+ }
+ else if(strcasecompare("login", tok))
+ keyword = LOGIN;
+ else if(strcasecompare("password", tok))
+ keyword = PASSWORD;
+ else if(strcasecompare("machine", tok)) {
+ /* a new machine here */
+ if(found & FOUND_PASSWORD) {
+ done = TRUE;
+ break;
+ }
+ state = HOSTFOUND;
+ keyword = NONE;
+ found = 0;
+ Curl_safefree(password);
+ if(!specific_login)
+ Curl_safefree(login);
+ }
+ else if(strcasecompare("default", tok)) {
+ state = HOSTVALID;
+ retcode = NETRC_SUCCESS; /* we did find our host */
+ Curl_safefree(password);
+ if(!specific_login)
+ Curl_safefree(login);
+ }
+ if((found == (FOUND_PASSWORD|FOUND_LOGIN)) && our_login) {
+ done = TRUE;
+ break;
}
- state_password = 0;
- }
- else if(strcasecompare("login", tok))
- state_login = 1;
- else if(strcasecompare("password", tok))
- state_password = 1;
- else if(strcasecompare("machine", tok)) {
- /* ok, there's machine here go => */
- state = HOSTFOUND;
- state_our_login = FALSE;
- }
- break;
- } /* switch (state) */
+ break;
+ } /* switch (state) */

tok = strtok_r(NULL, " \t\n", &tok_buf);
} /* while(tok) */
} /* while fgets() */

out:
+ if(!retcode) {
+ if(!password && our_login) {
+ /* success without a password, set a blank one */
+ password = strdup("");
+ if(!password)
+ retcode = 1; /* out of memory */
+ }
+ else if(!login && !password)
+ /* a default with no credentials */
+ retcode = NETRC_FILE_MISSING;
+ }
if(!retcode) {
/* success */
- *login_changed = FALSE;
- *password_changed = FALSE;
- if(login_alloc) {
- if(*loginp)
- free(*loginp);
+ if(!specific_login)
*loginp = login;
- *login_changed = TRUE;
- }
- if(password_alloc) {
- if(*passwordp)
- free(*passwordp);
- *passwordp = password;
- *password_changed = TRUE;
- }
+ *passwordp = password;
}
else {
- if(login_alloc)
+ if(!specific_login)
free(login);
- if(password_alloc)
- free(password);
+ free(password);
}
fclose(file);
}
diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c
index 1ee38af..28ab55a 100644
--- a/Utilities/cmcurl/lib/url.c
+++ b/Utilities/cmcurl/lib/url.c
@@ -2890,23 +2890,25 @@ static CURLcode override_login(struct Curl_easy *data,
bool netrc_passwd_changed = FALSE;
int ret;

- ret = Curl_parsenetrc(conn->host.name,
- userp, passwdp,
- &netrc_user_changed, &netrc_passwd_changed,
- data->set.str[STRING_NETRC_FILE]);
- if(ret > 0) {
- infof(data, "Couldn't find host %s in the %s file; using defaults\n",
- conn->host.name, data->set.str[STRING_NETRC_FILE]);
- }
- else if(ret < 0) {
- return CURLE_OUT_OF_MEMORY;
- }
- else {
- /* set bits.netrc TRUE to remember that we got the name from a .netrc
- file, so that it is safe to use even if we followed a Location: to a
- different host or similar. */
- conn->bits.netrc = TRUE;
- conn->bits.user_passwd = TRUE; /* enable user+password */
+ if(!*passwdp) {
+ ret = Curl_parsenetrc(conn->host.name,
+ userp, passwdp,
+ &netrc_user_changed, &netrc_passwd_changed,
+ data->set.str[STRING_NETRC_FILE]);
+ if(ret > 0) {
+ infof(data, "Couldn't find host %s in the %s file; using defaults\n",
+ conn->host.name, data->set.str[STRING_NETRC_FILE]);
+ }
+ else if(ret < 0) {
+ return CURLE_OUT_OF_MEMORY;
+ }
+ else {
+ /* set bits.netrc TRUE to remember that we got the name from a .netrc
+ file, so that it is safe to use even if we followed a Location: to a
+ different host or similar. */
+ conn->bits.netrc = TRUE;
+ conn->bits.user_passwd = TRUE; /* enable user+password */
+ }
}
}

--
2.45.2

6 changes: 5 additions & 1 deletion SPECS/cmake/cmake.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Summary: Cmake
Name: cmake
Version: 3.21.4
Release: 14%{?dist}
Release: 15%{?dist}
License: BSD AND LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -32,6 +32,7 @@ Patch17: CVE-2023-46218.patch
Patch18: CVE-2024-2398.patch
Patch19: CVE-2024-28182.patch
Patch20: CVE-2024-7264.patch
Patch21: CVE-2024-11053.patch
BuildRequires: bzip2
BuildRequires: bzip2-devel
BuildRequires: curl
Expand Down Expand Up @@ -97,6 +98,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
%{_prefix}/doc/%{name}-*/*

%changelog
* Tue Jan 14 2025 Henry Beberman <[email protected]> - 3.21.4-15
- Patch vendored curl for CVE-2024-11053

* Thu Nov 21 2024 Vince Perri <[email protected]> - 3.21.4-14
- Patch CVE-2024-2398 and CVE-2024-7264 (bundled curl)
- Patch CVE-2024-28182 (bundled nghttp2)
Expand Down
4 changes: 2 additions & 2 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
chkconfig-1.20-4.cm2.aarch64.rpm
chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
chkconfig-lang-1.20-4.cm2.aarch64.rpm
cmake-3.21.4-14.cm2.aarch64.rpm
cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm
cmake-3.21.4-15.cm2.aarch64.rpm
cmake-debuginfo-3.21.4-15.cm2.aarch64.rpm
coreutils-8.32-7.cm2.aarch64.rpm
coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
coreutils-lang-8.32-7.cm2.aarch64.rpm
Expand Down
4 changes: 2 additions & 2 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
chkconfig-1.20-4.cm2.x86_64.rpm
chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
chkconfig-lang-1.20-4.cm2.x86_64.rpm
cmake-3.21.4-14.cm2.x86_64.rpm
cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm
cmake-3.21.4-15.cm2.x86_64.rpm
cmake-debuginfo-3.21.4-15.cm2.x86_64.rpm
coreutils-8.32-7.cm2.x86_64.rpm
coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
coreutils-lang-8.32-7.cm2.x86_64.rpm
Expand Down
Loading