Patch for CVE-2023-27538 and CVE-2023-27535 - v3

SPECS/cmake/CVE-2023-27535.patch

@@ -6,46 +6,38 @@ Subject: [PATCH] Patch for CVE-2023-27535
 Upstream patch: https://github.com/curl/curl/commit/8f4608468b890dc
 
 ---
- Utilities/cmcurl/lib/ftp.c     | 30 ++++++++++++++++++++++++++++--
+ Utilities/cmcurl/lib/ftp.c     | 29 +++++++++++++++++++++++++++--
  Utilities/cmcurl/lib/ftp.h     |  5 +++++
  Utilities/cmcurl/lib/setopt.c  |  1 +
  Utilities/cmcurl/lib/url.c     | 16 +++++++++++++++-
  Utilities/cmcurl/lib/urldata.h |  4 ++--
- 5 files changed, 51 insertions(+), 5 deletions(-)
+ 5 files changed, 50 insertions(+), 5 deletions(-)
 
 diff --git a/Utilities/cmcurl/lib/ftp.c b/Utilities/cmcurl/lib/ftp.c
-index 425b0afec6..5839296ec2 100644
+index 425b0afec6..776a65f956 100644
 --- a/Utilities/cmcurl/lib/ftp.c
 +++ b/Utilities/cmcurl/lib/ftp.c
 @@ -4084,6 +4084,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data,
    }
-
+ 
    freedirs(ftpc);
 +  Curl_safefree(ftpc->account);
 +  Curl_safefree(ftpc->alternative_to_user);
    Curl_safefree(ftpc->prevpath);
    Curl_safefree(ftpc->server_os);
    Curl_pp_disconnect(pp);
-@@ -4108,6 +4110,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data)
-   const char *slashPos = NULL;
-   const char *fileName = NULL;
-   CURLcode result = CURLE_OK;
-+  struct ftp_conn *ftpc = &conn->proto.ftpc;
-   char *rawPath = NULL; /* url-decoded "raw" path */
-   size_t pathLen = 0;
-
-@@ -4344,11 +4347,32 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+@@ -4344,11 +4346,32 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
  {
    char *type;
    struct FTP *ftp;
 +  CURLcode result = CURLE_OK;
 +  struct ftp_conn *ftpc = &conn->proto.ftpc;
-
+ 
 -  data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1);
 +  ftp = calloc(sizeof(struct FTP), 1);
    if(NULL == ftp)
      return CURLE_OUT_OF_MEMORY;
-
+ 
 +  /* clone connection related data that is FTP specific */
 +  if(data->set.str[STRING_FTP_ACCOUNT]) {
 +    ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
@@ -66,17 +58,17 @@ index 425b0afec6..5839296ec2 100644
 +  data->req.p.ftp = ftp;
 +
    ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
-
+ 
    /* FTP URLs support an extension like ";type=<typecode>" that
-@@ -4383,7 +4407,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+@@ -4383,7 +4406,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
    /* get some initial data into the ftp struct */
    ftp->transfer = PPTRANSFER_BODY;
    ftp->downloadsize = 0;
 -  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
 +  ftpc->known_filesize = -1; /* unknown size for now */
 +  ftpc->use_ssl = data->set.use_ssl;
 +  ftpc->ccc = data->set.ftp_ccc;
-
+ 
    return CURLE_OK;
  }
 diff --git a/Utilities/cmcurl/lib/ftp.h b/Utilities/cmcurl/lib/ftp.h
@@ -112,7 +104,7 @@ index fb8b86d474..10c6872bb3 100644
      data->set.use_ssl = (curl_usessl)arg;
 +    data->set.use_ssl = (unsigned char)arg;
      break;
-
+ 
    case CURLOPT_SSL_OPTIONS:
 diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c
 index ca40322504..e00c56300b 100644
@@ -121,7 +113,7 @@ index ca40322504..e00c56300b 100644
 @@ -1334,10 +1334,24 @@ ConnectionExists(struct Curl_easy *data,
           (data->state.httpwant < CURL_HTTP_VERSION_2_0))
          continue;
-
+ 
 -      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
 +#ifdef USE_SSH
 +      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
@@ -141,7 +133,7 @@ index ca40322504..e00c56300b 100644
 +          continue;
 +      }
 +#endif
-
+ 
        if((needle->handler->flags&PROTOPT_SSL)
  #ifndef CURL_DISABLE_PROXY
 diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h
@@ -166,5 +158,5 @@ index 365b6821b1..ef3a58e55a 100644
    BIT(is_fread_set); /* has read callback been set to non-NULL? */
    BIT(is_fwrite_set); /* has write callback been set to non-NULL? */
    BIT(free_referer); /* set TRUE if 'referer' points to a string we
---
+-- 
 2.45.2

SPECS/cmake/cmake.spec

@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.21.4
-Release:        14%{?dist}
+Release:        13%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -92,11 +92,8 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_prefix}/doc/%{name}-*/*
 
 %changelog
-* Wed Nov 13 2024 Sharath Srikanth Chellappa <[email protected]> - 3.21.4-14
-- Patch CVE-2023-27535 and CVE-2023-27538
-
-* Tue Nov 12 2024 Sharath Srikanth Chellappa <[email protected]> - 3.21.4-13
-- Patch CVE-2022-43552 and CVE-2023-27536
+* Thu Nov 14 2024 Sharath Srikanth Chellappa <[email protected]> - 3.21.4-13
+- Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535 and CVE-2023-27538
 
 * Wed Sep 18 2024 Suresh Thelkar <[email protected]> - 3.21.4-12
 - Patch CVE-2023-27533 and CVE-2023-27534

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
 chkconfig-1.20-4.cm2.aarch64.rpm
 chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
 chkconfig-lang-1.20-4.cm2.aarch64.rpm
-cmake-3.21.4-14.cm2.aarch64.rpm
-cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm
+cmake-3.21.4-13.cm2.aarch64.rpm
+cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm
 coreutils-8.32-7.cm2.aarch64.rpm
 coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
 coreutils-lang-8.32-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
 chkconfig-1.20-4.cm2.x86_64.rpm
 chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
 chkconfig-lang-1.20-4.cm2.x86_64.rpm
-cmake-3.21.4-14.cm2.x86_64.rpm
-cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm
+cmake-3.21.4-13.cm2.x86_64.rpm
+cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm
 coreutils-8.32-7.cm2.x86_64.rpm
 coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
 coreutils-lang-8.32-7.cm2.x86_64.rpm