From d16de56df1684376745f941602a40ad4b9a44e3f Mon Sep 17 00:00:00 2001 From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> Date: Wed, 20 Nov 2024 22:31:07 +0000 Subject: [PATCH] cmake: Patch CVE-2024-2398, CVE-2024-7264 in bundled curl and CVE-2024-28182 in bundled nghttp2 --- SPECS/cmake/CVE-2024-2398.patch | 94 +++++++++++++++ SPECS/cmake/CVE-2024-28182.patch | 108 ++++++++++++++++++ SPECS/cmake/CVE-2024-7264-1.patch | 57 +++++++++ SPECS/cmake/CVE-2024-7264-2.patch | 64 +++++++++++ SPECS/cmake/cmake.spec | 10 +- .../manifests/package/toolchain_aarch64.txt | 4 +- .../manifests/package/toolchain_x86_64.txt | 4 +- 7 files changed, 336 insertions(+), 5 deletions(-) create mode 100644 SPECS/cmake/CVE-2024-2398.patch create mode 100644 SPECS/cmake/CVE-2024-28182.patch create mode 100644 SPECS/cmake/CVE-2024-7264-1.patch create mode 100644 SPECS/cmake/CVE-2024-7264-2.patch diff --git a/SPECS/cmake/CVE-2024-2398.patch b/SPECS/cmake/CVE-2024-2398.patch new file mode 100644 index 00000000000..d1c192e24f6 --- /dev/null +++ b/SPECS/cmake/CVE-2024-2398.patch @@ -0,0 +1,94 @@ +From c9adb2114e9d9d4a50ff273234c2a1f8518aafd1 Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Wed, 20 Nov 2024 22:38:53 +0000 +Subject: [PATCH] http2: push headers better cleanup + +Original patch: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6 +--- + Utilities/cmcurl/lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/Utilities/cmcurl/lib/http2.c b/Utilities/cmcurl/lib/http2.c +index f194c18b..50b8cd54 100644 +--- a/Utilities/cmcurl/lib/http2.c ++++ b/Utilities/cmcurl/lib/http2.c +@@ -116,6 +116,15 @@ static int http2_getsock(struct Curl_easy *data, + return bitmap; + } + ++static void free_push_headers(struct HTTP *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + /* + * http2_stream_free() free HTTP2 stream related data + */ +@@ -123,11 +132,7 @@ static void http2_stream_free(struct HTTP *http) + { + if(http) { + Curl_dyn_free(&http->header_recvbuf); +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; ++ free_push_headers(http); + } + } + +@@ -559,7 +564,6 @@ static int push_promise(struct Curl_easy *data, + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -595,11 +599,7 @@ static int push_promise(struct Curl_easy *data, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1033,10 +1033,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +@@ -1204,11 +1204,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature) + Curl_dyn_free(&http->trailer_recvbuf); + if(http->push_headers) { + /* if they weren't used and then freed before */ +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; ++ free_push_headers(http); + } + + if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) || +-- +2.34.1 + diff --git a/SPECS/cmake/CVE-2024-28182.patch b/SPECS/cmake/CVE-2024-28182.patch new file mode 100644 index 00000000000..9a71706148b --- /dev/null +++ b/SPECS/cmake/CVE-2024-28182.patch @@ -0,0 +1,108 @@ +From 875373fb67097281d4a4ff461e531b9bef947818 Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Thu, 21 Nov 2024 14:11:36 +0000 +Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame + +Original patch: https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0 +--- + Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++- + Utilities/cmnghttp2/lib/nghttp2_helper.c | 2 ++ + Utilities/cmnghttp2/lib/nghttp2_session.c | 8 ++++++++ + Utilities/cmnghttp2/lib/nghttp2_session.h | 10 ++++++++++ + 4 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h +index e4e1d4fc..a140199a 100644 +--- a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h ++++ b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h +@@ -428,7 +428,12 @@ typedef enum { + * exhaustion on server side to send these frames forever and does + * not read network. + */ +- NGHTTP2_ERR_FLOODED = -904 ++ NGHTTP2_ERR_FLOODED = -904, ++ /** ++ * When a local endpoint receives too many CONTINUATION frames ++ * following a HEADER frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, + } nghttp2_error; + + /** +diff --git a/Utilities/cmnghttp2/lib/nghttp2_helper.c b/Utilities/cmnghttp2/lib/nghttp2_helper.c +index 91136a61..f150ab54 100644 +--- a/Utilities/cmnghttp2/lib/nghttp2_helper.c ++++ b/Utilities/cmnghttp2/lib/nghttp2_helper.c +@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_code) { + case NGHTTP2_ERR_FLOODED: + return "Flooding was detected in this HTTP/2 session, and it must be " + "closed"; ++ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: ++ return "Too many CONTINUATION frames following a HEADER frame"; + default: + return "Unknown error code"; + } +diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.c b/Utilities/cmnghttp2/lib/nghttp2_session.c +index a3c0b708..f02e3f95 100644 +--- a/Utilities/cmnghttp2/lib/nghttp2_session.c ++++ b/Utilities/cmnghttp2/lib/nghttp2_session.c +@@ -463,6 +463,7 @@ static int session_new(nghttp2_session **session_ptr, + + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -6297,6 +6298,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + } + } + session_inbound_frame_reset(session); ++ ++ session->num_continuations = 0; + } + break; + } +@@ -6418,6 +6421,11 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + } + #endif /* DEBUGBUILD */ + ++ ++ if (++session->num_continuations > session->max_continuations) { ++ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; ++ } ++ + readlen = inbound_frame_buf_read(iframe, in, last); + in += readlen; + +diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.h b/Utilities/cmnghttp2/lib/nghttp2_session.h +index b75294c3..f53acac7 100644 +--- a/Utilities/cmnghttp2/lib/nghttp2_session.h ++++ b/Utilities/cmnghttp2/lib/nghttp2_session.h +@@ -107,6 +107,10 @@ typedef struct { + #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 + #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 + ++/* The default max number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -277,6 +281,12 @@ struct nghttp2_session { + /* The maximum length of header block to send. Calculated by the + same way as nghttp2_hd_deflate_bound() does. */ + size_t max_send_header_block_length; ++ /* The maximum number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++ size_t max_continuations; ++ /* The number of CONTINUATION frames following an incoming HEADER ++ frame. This variable is reset when END_HEADERS flag is seen. */ ++ size_t num_continuations; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +-- +2.34.1 + diff --git a/SPECS/cmake/CVE-2024-7264-1.patch b/SPECS/cmake/CVE-2024-7264-1.patch new file mode 100644 index 00000000000..f5b713b819f --- /dev/null +++ b/SPECS/cmake/CVE-2024-7264-1.patch @@ -0,0 +1,57 @@ +From e5daecf74dd60974e7ae91e432032e6cfdaaf15e Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Thu, 21 Nov 2024 14:52:49 +0000 +Subject: [PATCH 1/2] x509asn1: clean up GTime2str + +Original patch: https://github.com/curl/curl/commit/3c914bc680155b321 +--- + Utilities/cmcurl/lib/x509asn1.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/Utilities/cmcurl/lib/x509asn1.c b/Utilities/cmcurl/lib/x509asn1.c +index 281c9724..b1160102 100644 +--- a/Utilities/cmcurl/lib/x509asn1.c ++++ b/Utilities/cmcurl/lib/x509asn1.c +@@ -469,7 +469,7 @@ static const char *GTime2str(const char *beg, const char *end) + /* Convert an ASN.1 Generalized time to a printable string. + Return the dynamically allocated string, or NULL if an error occurs. */ + +- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++) ++ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++) + ; + + /* Get seconds digits. */ +@@ -488,17 +488,22 @@ static const char *GTime2str(const char *beg, const char *end) + return NULL; + } + +- /* Scan for timezone, measure fractional seconds. */ ++ /* timezone follows optional fractional seconds. */ + tzp = fracp; +- fracl = 0; ++ fracl = 0; /* no fractional seconds detected so far */ + if(fracp < end && (*fracp == '.' || *fracp == ',')) { +- fracp++; +- do ++ /* Have fractional seconds, e.g. "[.,]\d+". How many? */ ++ tzp = fracp++; /* should be a digit char or BAD ARGUMENT */ ++ while(tzp < end && ISDIGIT(*tzp)) + tzp++; +- while(tzp < end && *tzp >= '0' && *tzp <= '9'); +- /* Strip leading zeroes in fractional seconds. */ +- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--) +- ; ++ if(tzp == fracp) /* never looped, no digit after [.,] */ ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++ fracl = tzp - fracp - 1; /* number of fractional sec digits */ ++ DEBUGASSERT(fracl > 0); ++ /* Strip trailing zeroes in fractional seconds. ++ * May reduce fracl to 0 if only '0's are present. */ ++ while(fracl && fracp[fracl - 1] == '0') ++ fracl--; + } + + /* Process timezone. */ +-- +2.34.1 + diff --git a/SPECS/cmake/CVE-2024-7264-2.patch b/SPECS/cmake/CVE-2024-7264-2.patch new file mode 100644 index 00000000000..0a79a6f49be --- /dev/null +++ b/SPECS/cmake/CVE-2024-7264-2.patch @@ -0,0 +1,64 @@ +From 13e627cf5b98be84a8cead6e4518932dba7f2cb7 Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Thu, 21 Nov 2024 15:02:39 +0000 +Subject: [PATCH 2/2] x509asn1: fixes for gtime2str + +Original patch: https://github.com/curl/curl/commit/27959ecce75cdb2 +--- + Utilities/cmcurl/lib/x509asn1.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/Utilities/cmcurl/lib/x509asn1.c b/Utilities/cmcurl/lib/x509asn1.c +index b1160102..ceb03e2a 100644 +--- a/Utilities/cmcurl/lib/x509asn1.c ++++ b/Utilities/cmcurl/lib/x509asn1.c +@@ -493,12 +493,13 @@ static const char *GTime2str(const char *beg, const char *end) + fracl = 0; /* no fractional seconds detected so far */ + if(fracp < end && (*fracp == '.' || *fracp == ',')) { + /* Have fractional seconds, e.g. "[.,]\d+". How many? */ +- tzp = fracp++; /* should be a digit char or BAD ARGUMENT */ ++ fracp++; /* should be a digit char or BAD ARGUMENT */ ++ tzp = fracp; + while(tzp < end && ISDIGIT(*tzp)) + tzp++; + if(tzp == fracp) /* never looped, no digit after [.,] */ + return CURLE_BAD_FUNCTION_ARGUMENT; +- fracl = tzp - fracp - 1; /* number of fractional sec digits */ ++ fracl = tzp - fracp; /* number of fractional sec digits */ + DEBUGASSERT(fracl > 0); + /* Strip trailing zeroes in fractional seconds. + * May reduce fracl to 0 if only '0's are present. */ +@@ -507,18 +508,24 @@ static const char *GTime2str(const char *beg, const char *end) + } + + /* Process timezone. */ +- if(tzp >= end) +- ; /* Nothing to do. */ ++ if(tzp >= end) { ++ tzp = ""; ++ tzl = 0; ++ } + else if(*tzp == 'Z') { +- tzp = " GMT"; +- end = tzp + 4; ++ sep = " "; ++ tzp = "GMT"; ++ tzl = 3; ++ } ++ else if((*tzp == '+') || (*tzp == '-')) { ++ sep = " UTC"; ++ tzl = end - tzp; + } + else { + sep = " "; +- tzp++; ++ tzl = end - tzp; + } + +- tzl = end - tzp; + return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s", + beg, beg + 4, beg + 6, + beg + 8, beg + 10, sec1, sec2, +-- +2.34.1 + diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index 7cbf857dc73..89e74fb9da8 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -2,7 +2,7 @@ Summary: Cmake Name: cmake Version: 3.21.4 -Release: 13%{?dist} +Release: 14%{?dist} License: BSD AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -29,6 +29,10 @@ Patch14: CVE-2023-27538.patch Patch15: CVE-2023-27535.patch Patch16: CVE-2023-23916.patch Patch17: CVE-2023-46218.patch +Patch18: CVE-2024-2398.patch +Patch19: CVE-2024-28182.patch +Patch20: CVE-2024-7264-1.patch +Patch21: CVE-2024-7264-2.patch BuildRequires: bzip2 BuildRequires: bzip2-devel BuildRequires: curl @@ -94,6 +98,10 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %{_prefix}/doc/%{name}-*/* %changelog +* Thu Nov 21 2024 Vince Perri - 3.21.4-14 +- Patch CVE-2024-2398 and CVE-2024-7264 (bundled curl) +- Patch CVE-2024-28182 (bundled nghttp2) + * Thu Nov 14 2024 Sharath Srikanth Chellappa - 3.21.4-13 - Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218. diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 8f25b9c9dbe..4f542e0608f 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm chkconfig-1.20-4.cm2.aarch64.rpm chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm chkconfig-lang-1.20-4.cm2.aarch64.rpm -cmake-3.21.4-13.cm2.aarch64.rpm -cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm +cmake-3.21.4-14.cm2.aarch64.rpm +cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm coreutils-8.32-7.cm2.aarch64.rpm coreutils-debuginfo-8.32-7.cm2.aarch64.rpm coreutils-lang-8.32-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 2b821d4f2aa..e017743db16 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm chkconfig-1.20-4.cm2.x86_64.rpm chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm chkconfig-lang-1.20-4.cm2.x86_64.rpm -cmake-3.21.4-13.cm2.x86_64.rpm -cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm +cmake-3.21.4-14.cm2.x86_64.rpm +cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm coreutils-8.32-7.cm2.x86_64.rpm coreutils-debuginfo-8.32-7.cm2.x86_64.rpm coreutils-lang-8.32-7.cm2.x86_64.rpm