cmake: Fixes for CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218

[sharath-srikanth-chellappa]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

Patches for CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218

Based on upstream fixes:

• curl/curl@cb49e67303dba
• https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2.patch
• curl/curl@8f4608468b890dc
• curl/curl@af369db4d3833272b8ed
• curl/curl@119fb187192a9ea13dc
• curl/curl@2b0994c29a721c91c57

Change Log

• CVE-2023-27536
• CVE-2022-43552
• CVE-2023-27535
• CVE-2023-27538
• CVE-2023-23916
• CVE-2023-46218

Does this affect the toolchain?

YES

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2023-27536
• https://nvd.nist.gov/vuln/detail/CVE-2022-43552
• https://nvd.nist.gov/vuln/detail/CVE-2023-27535
• https://nvd.nist.gov/vuln/detail/CVE-2023-27538
• https://nvd.nist.gov/vuln/detail/CVE-2023-23916
• https://nvd.nist.gov/vuln/detail/CVE-2023-46218

Test Methodology

• Pipeline build id: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=676654&view=results

[anphel31]

can you please update the toolchain manifests with the new cmake revision?

[anphel31]

It looks like we have another PR which upgrades cmake and supercedes these patches.
#11037

[sharath-srikanth-chellappa]

can you please update the toolchain manifests with the new cmake revision?

Have updated the toolkits for arm64 and amd64

It looks like we have another PR which upgrades cmake and supercedes these patches. #11037

Have gone ahead and closed this PR which I created.

@anphel31 Can you please take a look

[anphel31]

@sharath-srikanth-chellappa , the closed PR #11037 contains fixes for many other CVES. Do you plan to include those in this PR?

[sharath-srikanth-chellappa]

@sharath-srikanth-chellappa , the closed PR #11037 contains fixes for many other CVES. Do you plan to include those in this PR?

@anphel31
No I don't plan to. There are many new patches that have been introduced by other CVEs which make the direct upgrade of the package version much harder. The cmake package building itself fails in the case that I do such a major version upgrade. This is the reason why I closed out the initial approach (of upgrading the cmake package version) and upgrading individual CVEs assigned.

[sharath-srikanth-chellappa]

@anphel31 @jslobodzian - I have gone ahead and added multiple CVEs to the same PR. Can you please take a look and reapprove so that I can merge it. Thanks in advance.