diff --git a/SPECS/cmake/CVE-2023-27535.patch b/SPECS/cmake/CVE-2023-27535.patch index 366dcc3e29d..0849aeca5ae 100644 --- a/SPECS/cmake/CVE-2023-27535.patch +++ b/SPECS/cmake/CVE-2023-27535.patch @@ -6,46 +6,38 @@ Subject: [PATCH] Patch for CVE-2023-27535 Upstream patch: https://github.com/curl/curl/commit/8f4608468b890dc --- - Utilities/cmcurl/lib/ftp.c | 30 ++++++++++++++++++++++++++++-- + Utilities/cmcurl/lib/ftp.c | 29 +++++++++++++++++++++++++++-- Utilities/cmcurl/lib/ftp.h | 5 +++++ Utilities/cmcurl/lib/setopt.c | 1 + Utilities/cmcurl/lib/url.c | 16 +++++++++++++++- Utilities/cmcurl/lib/urldata.h | 4 ++-- - 5 files changed, 51 insertions(+), 5 deletions(-) + 5 files changed, 50 insertions(+), 5 deletions(-) diff --git a/Utilities/cmcurl/lib/ftp.c b/Utilities/cmcurl/lib/ftp.c -index 425b0afec6..5839296ec2 100644 +index 425b0afec6..776a65f956 100644 --- a/Utilities/cmcurl/lib/ftp.c +++ b/Utilities/cmcurl/lib/ftp.c @@ -4084,6 +4084,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, } - + freedirs(ftpc); + Curl_safefree(ftpc->account); + Curl_safefree(ftpc->alternative_to_user); Curl_safefree(ftpc->prevpath); Curl_safefree(ftpc->server_os); Curl_pp_disconnect(pp); -@@ -4108,6 +4110,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) - const char *slashPos = NULL; - const char *fileName = NULL; - CURLcode result = CURLE_OK; -+ struct ftp_conn *ftpc = &conn->proto.ftpc; - char *rawPath = NULL; /* url-decoded "raw" path */ - size_t pathLen = 0; - -@@ -4344,11 +4347,32 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, +@@ -4344,11 +4346,32 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, { char *type; struct FTP *ftp; + CURLcode result = CURLE_OK; + struct ftp_conn *ftpc = &conn->proto.ftpc; - + - data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); + ftp = calloc(sizeof(struct FTP), 1); if(NULL == ftp) return CURLE_OUT_OF_MEMORY; - + + /* clone connection related data that is FTP specific */ + if(data->set.str[STRING_FTP_ACCOUNT]) { + ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); @@ -66,9 +58,9 @@ index 425b0afec6..5839296ec2 100644 + data->req.p.ftp = ftp; + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ - + /* FTP URLs support an extension like ";type=" that -@@ -4383,7 +4407,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, +@@ -4383,7 +4406,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, /* get some initial data into the ftp struct */ ftp->transfer = PPTRANSFER_BODY; ftp->downloadsize = 0; @@ -76,7 +68,7 @@ index 425b0afec6..5839296ec2 100644 + ftpc->known_filesize = -1; /* unknown size for now */ + ftpc->use_ssl = data->set.use_ssl; + ftpc->ccc = data->set.ftp_ccc; - + return CURLE_OK; } diff --git a/Utilities/cmcurl/lib/ftp.h b/Utilities/cmcurl/lib/ftp.h @@ -112,7 +104,7 @@ index fb8b86d474..10c6872bb3 100644 data->set.use_ssl = (curl_usessl)arg; + data->set.use_ssl = (unsigned char)arg; break; - + case CURLOPT_SSL_OPTIONS: diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c index ca40322504..e00c56300b 100644 @@ -121,7 +113,7 @@ index ca40322504..e00c56300b 100644 @@ -1334,10 +1334,24 @@ ConnectionExists(struct Curl_easy *data, (data->state.httpwant < CURL_HTTP_VERSION_2_0)) continue; - + - if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { +#ifdef USE_SSH + else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { @@ -141,7 +133,7 @@ index ca40322504..e00c56300b 100644 + continue; + } +#endif - + if((needle->handler->flags&PROTOPT_SSL) #ifndef CURL_DISABLE_PROXY diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h @@ -166,5 +158,5 @@ index 365b6821b1..ef3a58e55a 100644 BIT(is_fread_set); /* has read callback been set to non-NULL? */ BIT(is_fwrite_set); /* has write callback been set to non-NULL? */ BIT(free_referer); /* set TRUE if 'referer' points to a string we --- +-- 2.45.2 diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index 73dec9c010f..fbf063d37e7 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -2,7 +2,7 @@ Summary: Cmake Name: cmake Version: 3.21.4 -Release: 14%{?dist} +Release: 13%{?dist} License: BSD AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -92,11 +92,8 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %{_prefix}/doc/%{name}-*/* %changelog -* Wed Nov 13 2024 Sharath Srikanth Chellappa - 3.21.4-14 -- Patch CVE-2023-27535 and CVE-2023-27538 - -* Tue Nov 12 2024 Sharath Srikanth Chellappa - 3.21.4-13 -- Patch CVE-2022-43552 and CVE-2023-27536 +* Thu Nov 14 2024 Sharath Srikanth Chellappa - 3.21.4-13 +- Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535 and CVE-2023-27538 * Wed Sep 18 2024 Suresh Thelkar - 3.21.4-12 - Patch CVE-2023-27533 and CVE-2023-27534 diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 6bfc9435b4c..25e2e49564e 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm chkconfig-1.20-4.cm2.aarch64.rpm chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm chkconfig-lang-1.20-4.cm2.aarch64.rpm -cmake-3.21.4-14.cm2.aarch64.rpm -cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm +cmake-3.21.4-13.cm2.aarch64.rpm +cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm coreutils-8.32-7.cm2.aarch64.rpm coreutils-debuginfo-8.32-7.cm2.aarch64.rpm coreutils-lang-8.32-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index ecc608e90eb..4d57a7db1ab 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm chkconfig-1.20-4.cm2.x86_64.rpm chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm chkconfig-lang-1.20-4.cm2.x86_64.rpm -cmake-3.21.4-14.cm2.x86_64.rpm -cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm +cmake-3.21.4-13.cm2.x86_64.rpm +cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm coreutils-8.32-7.cm2.x86_64.rpm coreutils-debuginfo-8.32-7.cm2.x86_64.rpm coreutils-lang-8.32-7.cm2.x86_64.rpm