From abab070ca153e487dfd298e57ebdee7c955aa1c9 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 18 Dec 2025 12:31:48 +0000 Subject: [PATCH] import UBI curl-7.61.1-34.el8_10.9 --- SOURCES/0068-curl-7.61.1-CVE-2025-9086.patch | 29 ++++++++++++++++++++ SPECS/curl.spec | 10 ++++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0068-curl-7.61.1-CVE-2025-9086.patch diff --git a/SOURCES/0068-curl-7.61.1-CVE-2025-9086.patch b/SOURCES/0068-curl-7.61.1-CVE-2025-9086.patch new file mode 100644 index 0000000..3f70f62 --- /dev/null +++ b/SOURCES/0068-curl-7.61.1-CVE-2025-9086.patch @@ -0,0 +1,29 @@ +From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Aug 2025 20:23:05 +0200 +Subject: [PATCH] cookie: don't treat the leading slash as trailing + +If there is only a leading slash in the path, keep that. Also add an +assert to make sure the path is never blank. + +Reported-by: Google Big Sleep +Closes #18266 +--- + lib/cookie.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 914a4aca12ac..b72dd99bce9b 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -420,8 +420,9 @@ static char *sanitize_cookie_path(const char *cookie_path) + return new_path; + } + ++ /* remove trailing slash when path is non-empty (len > 1) */ + /* convert /hoge/ to /hoge */ +- if(len && new_path[len - 1] == '/') { ++ if(len > 1 && new_path[len - 1] == '/') { + new_path[len - 1] = 0x0; + } + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 0718243..5939ad0 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 34%{?dist}.8 +Release: 34%{?dist}.9 License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -196,6 +196,9 @@ Patch66: 0066-crypto-initialization.patch # NTLM: force the connection to HTTP/1.1 Patch67: 0067-curl-7.61.1-ntlm-force-http-1-1.patch +# cookie: don't treat the leading slash as trailing (CVE-2025-9086) +Patch68: 0068-curl-7.61.1-CVE-2025-9086.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -436,6 +439,7 @@ git apply %{PATCH52} %patch -P 65 -p1 %patch -P 66 -p1 %patch -P 67 -p1 +%patch -P 68 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -598,6 +602,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Oct 24 2025 Jacek Migacz - 7.61.1-34.el8_10.9 +- cookie: don't treat the leading slash as trailing (CVE-2025-9086) + Resolves: RHEL-121655 + * Mon Jul 21 2025 Jacek Migacz - 7.61.1-34.el8_10.8 - NTLM: force the connection to HTTP/1.1 (RHEL-73788)