From 3090c95e1923e572f7caadcf615e25922d5cbb0d Mon Sep 17 00:00:00 2001 From: sa-buc Date: Thu, 18 Sep 2025 14:29:04 +0800 Subject: [PATCH] fix cve --- 0004-fix-CVE-2025-9086.patch | 54 ++++++++++++++++++++++++++++++++++++ curl.spec | 20 +++++++------ 2 files changed, 66 insertions(+), 8 deletions(-) create mode 100644 0004-fix-CVE-2025-9086.patch diff --git a/0004-fix-CVE-2025-9086.patch b/0004-fix-CVE-2025-9086.patch new file mode 100644 index 0000000..8ff6c0f --- /dev/null +++ b/0004-fix-CVE-2025-9086.patch @@ -0,0 +1,54 @@ +From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Aug 2025 20:23:05 +0200 +Subject: [PATCH] cookie: don't treat the leading slash as trailing + +If there is only a leading slash in the path, keep that. Also add an +assert to make sure the path is never blank. + +Reported-by: Google Big Sleep +Closes #18266 + +Conflict:context adapt +delete comment change which not exist +cookie_path => new_path +Reference:https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 +--- + lib/cookie.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 914a4aca1..b72dd99bc 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -296,7 +296,7 @@ static char *sanitize_cookie_path(const char *cookie_path) + } + + /* convert /hoge/ to /hoge */ +- if(len && new_path[len - 1] == '/') { ++ if(len > 1 && new_path[len - 1] == '/') { + new_path[len - 1] = 0x0; + } + +@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data, + clist->spath && co->spath && /* both have paths */ + clist->secure && !co->secure && !secure) { + size_t cllen; +- const char *sep; ++ const char *sep = NULL; + + /* + * A non-secure cookie may not overlay an existing secure cookie. +@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data, + * "/loginhelper" is ok. + */ + +- sep = strchr(clist->spath + 1, '/'); +- ++ DEBUGASSERT(clist->spath[0]); ++ if(clist->spath[0]) ++ sep = strchr(clist->spath + 1, '/'); + if(sep) + cllen = sep - clist->spath; + else + diff --git a/curl.spec b/curl.spec index d6d8309..9b54883 100644 --- a/curl.spec +++ b/curl.spec @@ -1,4 +1,4 @@ -%define anolis_release 11 +%define anolis_release 12 Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Epoch: 1 @@ -95,7 +95,8 @@ Patch: 1003-fix-CVE-2024-7264-2.patch Patch: 1004-fix-CVE-2024-8096.patch #https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7fe141010077eb88 Patch: 1005-fix-CVE-2025-0725.patch - +# https://security-tracker.debian.org/tracker/CVE-2025-9086 +Patch: 0004-fix-CVE-2025-9086.patch # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable # this feature for production builds on architectures where valgrind is known @@ -387,14 +388,17 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %changelog +* Thu Sep 18 2025 zhoujiajia111 -8.4.0-12 +- Fix CVE-2025-9086 + * Fri May 23 2025 Cheng Yang - 8.4.0-11 -* Fix CVE-2025-0725 +- Fix CVE-2025-0725 -*Thu May 22 2025 Ali - 8.4.0-10 --fix CVE-2024-8096 +* Thu May 22 2025 Ali - 8.4.0-10 +- fix CVE-2024-8096 -*Tue May 20 2025 Ali - 8.4.0-9 --fix CVE-2024-7264 +* Tue May 20 2025 Ali - 8.4.0-9 +- fix CVE-2024-7264 * Sun Apr 27 2025 mgb01105731 - 8.4.0-8 - Add patch to fix CVE-2024-11053 and CVE-2025-0167 @@ -402,7 +406,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Wed Mar 12 2025 shenzl - 8.4.0-7 - fix CVE-2025-0665 -* Tue Aug 13 2024 mgb01105731 - 8.4.0-6 +* Tue Mar 11 2025 mgb01105731 - 8.4.0-6 - cherry-pick fix CVE-2024-2004 and add Epoch for requires and provides - Fix CVE-2023-46218 and CVE-2023-46219 -- Gitee