cmake: Patch CVE-2024-2398 in bundled curl

microsoft · Nov 20, 2024 · 135b927 · 135b927
1 parent ecd289e
commit 135b927
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 5 deletions.
diff --git a/SPECS/cmake/CVE-2024-2398.patch b/SPECS/cmake/CVE-2024-2398.patch
@@ -0,0 +1,94 @@
+From c9adb2114e9d9d4a50ff273234c2a1f8518aafd1 Mon Sep 17 00:00:00 2001
+From: Vince Perri <[email protected]>
+Date: Wed, 20 Nov 2024 22:38:53 +0000
+Subject: [PATCH] http2: push headers better cleanup
+
+Original patch: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6
+---
+ Utilities/cmcurl/lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/http2.c b/Utilities/cmcurl/lib/http2.c
+index f194c18b..50b8cd54 100644
+--- a/Utilities/cmcurl/lib/http2.c
++++ b/Utilities/cmcurl/lib/http2.c
+@@ -116,6 +116,15 @@ static int http2_getsock(struct Curl_easy *data,
+   return bitmap;
+ }
+
++static void free_push_headers(struct HTTP *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ /*
+  * http2_stream_free() free HTTP2 stream related data
+  */
+@@ -123,11 +132,7 @@ static void http2_stream_free(struct HTTP *http)
+ {
+   if(http) {
+     Curl_dyn_free(&http->header_recvbuf);
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
++    free_push_headers(http);
+   }
+ }
+
+@@ -559,7 +564,6 @@ static int push_promise(struct Curl_easy *data,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     struct http_conn *httpc;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = duphandle(data);
+     if(!newhandle) {
+@@ -595,11 +599,7 @@ static int push_promise(struct Curl_easy *data,
+     Curl_set_in_callback(data, false);
+
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1033,10 +1033,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+             stream->push_headers_alloc) {
+       char **headp;
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+@@ -1204,11 +1204,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
+   Curl_dyn_free(&http->trailer_recvbuf);
+   if(http->push_headers) {
+     /* if they weren't used and then freed before */
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
++    free_push_headers(http);
+   }
+
+   if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
+-- 
+2.34.1
+
diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec
@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.21.4
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -29,6 +29,7 @@ Patch14:        CVE-2023-27538.patch
 Patch15:        CVE-2023-27535.patch
 Patch16:        CVE-2023-23916.patch
 Patch17:        CVE-2023-46218.patch
+Patch18:        CVE-2024-2398.patch
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
 BuildRequires:  curl
@@ -94,6 +95,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_prefix}/doc/%{name}-*/*
 
 %changelog
+* Tue Nov 19 2024 Vince Perri <[email protected]> - 3.21.4-14
+- Patch CVE-2024-2398 (bundled curl).
+
 * Thu Nov 14 2024 Sharath Srikanth Chellappa <[email protected]> - 3.21.4-13
 - Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218.
 

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
 chkconfig-1.20-4.cm2.aarch64.rpm
 chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
 chkconfig-lang-1.20-4.cm2.aarch64.rpm
-cmake-3.21.4-13.cm2.aarch64.rpm
-cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm
+cmake-3.21.4-14.cm2.aarch64.rpm
+cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm
 coreutils-8.32-7.cm2.aarch64.rpm
 coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
 coreutils-lang-8.32-7.cm2.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
 chkconfig-1.20-4.cm2.x86_64.rpm
 chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
 chkconfig-lang-1.20-4.cm2.x86_64.rpm
-cmake-3.21.4-13.cm2.x86_64.rpm
-cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm
+cmake-3.21.4-14.cm2.x86_64.rpm
+cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm
 coreutils-8.32-7.cm2.x86_64.rpm
 coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
 coreutils-lang-8.32-7.cm2.x86_64.rpm