import UBI curl-7.61.1-34.el8_10.9

2025-12-18 12:31:48 +00:00 · 2025-12-18 12:31:48 +00:00 · abab070ca1
commit abab070ca1
parent b77a689723
2 changed files with 38 additions and 1 deletions
--- a/SOURCES/0068-curl-7.61.1-CVE-2025-9086.patch
+++ b/SOURCES/0068-curl-7.61.1-CVE-2025-9086.patch
@ -0,0 +1,29 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+---
+ lib/cookie.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 914a4aca12ac..b72dd99bce9b 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -420,8 +420,9 @@ static char *sanitize_cookie_path(const char *cookie_path)
+     return new_path;
+   }
+
+  /* remove trailing slash when path is non-empty (len > 1) */
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
+  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 34%{?dist}.8
+Release: 34%{?dist}.9
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

@ -196,6 +196,9 @@ Patch66:  0066-crypto-initialization.patch
 # NTLM: force the connection to HTTP/1.1
 Patch67:  0067-curl-7.61.1-ntlm-force-http-1-1.patch

+# cookie: don't treat the leading slash as trailing (CVE-2025-9086)
+Patch68:  0068-curl-7.61.1-CVE-2025-9086.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -436,6 +439,7 @@ git apply %{PATCH52}
 %patch -P 65 -p1
 %patch -P 66 -p1
 %patch -P 67 -p1
+%patch -P 68 -p1

 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -598,6 +602,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Fri Oct 24 2025 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.9
+- cookie: don't treat the leading slash as trailing (CVE-2025-9086)
+  Resolves: RHEL-121655
+
 * Mon Jul 21 2025 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.8
 - NTLM: force the connection to HTTP/1.1 (RHEL-73788)