From 0fca99c9f8a377728ea126f5b41d6b376414c0a6 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Mon, 30 Mar 2026 11:19:25 -0400
Subject: [PATCH] import CS curl-7.76.1-40.el9

---
 SOURCES/0041-curl-7.76.1-CVE-2025-9086.patch  |  48 ++++++++
 ...-7.76.1-respect-system-crypto-policy.patch | 110 ++++++++++++++++++
 ...ttp-fix-crash-in-rate-limited-upload.patch |  42 +++++++
 SPECS/curl.spec                               |  35 +++++-
 4 files changed, 233 insertions(+), 2 deletions(-)
 create mode 100644 SOURCES/0041-curl-7.76.1-CVE-2025-9086.patch
 create mode 100644 SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch
 create mode 100644 SOURCES/0043-curl-7.76.1-http-fix-crash-in-rate-limited-upload.patch

diff --git a/SOURCES/0041-curl-7.76.1-CVE-2025-9086.patch b/SOURCES/0041-curl-7.76.1-CVE-2025-9086.patch
new file mode 100644
index 0000000..a49f121
--- /dev/null
+++ b/SOURCES/0041-curl-7.76.1-CVE-2025-9086.patch
@@ -0,0 +1,48 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+---
+ lib/cookie.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 914a4aca12ac..b72dd99bce9b 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -296,7 +296,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
++  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data,
+         if(clist->spath && co->spath) {
+           if(clist->secure && !co->secure && !secure) {
+             size_t cllen;
+-            const char *sep;
++            const char *sep = NULL;
+ 
+             /*
+              * A non-secure cookie may not overlay an existing secure cookie.
+@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data,
+              * "/loginhelper" is ok.
+              */
+ 
+-            sep = strchr(clist->spath + 1, '/');
+-
++            DEBUGASSERT(clist->spath[0]);
++            if(clist->spath[0])
++              sep = strchr(clist->spath + 1, '/');
+             if(sep)
+               cllen = sep - clist->spath;
+             else
diff --git a/SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch b/SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch
new file mode 100644
index 0000000..e2da7c2
--- /dev/null
+++ b/SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch
@@ -0,0 +1,110 @@
+From: Jacek Migacz <jmigacz@redhat.com>
+Date: Mon, 4 Nov 2025 10:00:00 +0100
+Subject: [PATCH] openssl: respect system crypto policy for TLS max version
+
+Implement a compromise between application control and system security
+policy for TLS maximum version:
+
+- When user explicitly sets --tls-max: honor user choice (app control)
+- When user accepts default: respect OpenSSL crypto-policy (system policy)
+
+This allows:
+  curl --tls-max 1.3 https://...  # Uses TLS 1.3 (overrides policy)
+  curl https://...                 # Respects crypto-policy
+
+Previously, curl called SSL_CTX_set_max_proto_version(ctx, 0) even when
+user didn't specify --tls-max, which overrides system crypto-policy and
+enables all TLS versions up to the highest supported.
+
+This breaks FIPS/Common Criteria compliance systems where security
+policies are mandatory:
+- Package managers (dnf/yum) completely break on FIPS systems
+- RHEL/Fedora cannot achieve government certifications
+- System administrators cannot enforce TLS version restrictions
+
+The fix: when user explicitly requests a specific maximum version, honor it.
+Otherwise, query the current crypto-policy setting. If the policy restricts
+TLS to a version lower than 1.3, respect that restriction. If the policy
+allows TLS 1.3 (the highest), use 0 to maintain the original behavior.
+
+This approach:
+- Respects crypto-policy when it actually restricts TLS versions
+- Maintains original behavior (calling with 0) when no restriction applies
+- Preserves compatibility with other libraries like libssh (bz2091512)
+- Ensures SSL_CTX_set_max_proto_version() is always called (RHEL-134721)
+
+Note: Previous versions had issues:
+- v1: Skipped calling SSL_CTX_set_max_proto_version() entirely, breaking libssh
+- v2: Always called with policy_max value, but on DEFAULT policy this returns
+  TLS1_3_VERSION instead of 0, which differs from original behavior and
+  still caused libssh regression
+
+This v3 fix preserves original behavior (call with 0) when crypto-policy
+allows TLS 1.3, and only applies restrictions for FIPS/restrictive policies.
+
+This mirrors the intended behavior of the minimum version logic, where
+explicit user choice overrides defaults, but system configuration is
+respected otherwise.
+---
+ lib/vtls/openssl.c | 50 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 37 insertions(+), 13 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1234567890..abcdef1234 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2354,19 +2354,43 @@
+       ossl_ssl_version_max = TLS1_3_VERSION;
+       break;
+ #endif
+-    case CURL_SSLVERSION_MAX_NONE:  /* none selected */
+-    case CURL_SSLVERSION_MAX_DEFAULT:  /* max selected */
+-    default:
+-      /* SSL_CTX_set_max_proto_version states that:
+-        setting the maximum to 0 will enable
+-        protocol versions up to the highest version
+-        supported by the library */
+-      ossl_ssl_version_max = 0;
+-      break;
+   }
+
+-  if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
+-    return CURLE_SSL_CONNECT_ERROR;
++  /* Set max version based on user choice or crypto-policy.
++
++     When user explicitly sets --tls-max, honor that choice (app control).
++     When user accepts default, respect crypto-policy (system policy).
++
++     IMPORTANT: We always call SSL_CTX_set_max_proto_version() to maintain
++     compatibility with other libraries like libssh. Skipping this call
++     or calling with different values can affect libraries that depend on
++     specific OpenSSL initialization sequences. See RHEL-134721. */
++  if(curl_ssl_version_max != CURL_SSLVERSION_MAX_NONE &&
++     curl_ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) {
++    /* User explicitly requested a specific max version - honor it */
++    if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
++      return CURLE_SSL_CONNECT_ERROR;
++    }
++  }
++  else {
++    /* User didn't specify - check crypto-policy.
++       Query the current max version setting from crypto-policy config.
++       If policy restricts to below TLS 1.3, respect that restriction.
++       Otherwise, use 0 (highest available) to maintain original behavior
++       which is required for libssh compatibility (bz2091512). */
++    long policy_max = SSL_CTX_get_max_proto_version(ctx);
++#ifdef TLS1_3_VERSION
++    if(policy_max == 0 || policy_max >= TLS1_3_VERSION) {
++      /* No restriction or TLS 1.3 allowed - use original behavior */
++      policy_max = 0;
++    }
++    /* else: policy restricts to TLS 1.2 or lower, respect it */
++#else
++    policy_max = 0;
++#endif
++    if(!SSL_CTX_set_max_proto_version(ctx, policy_max)) {
++      return CURLE_SSL_CONNECT_ERROR;
++    }
+   }
+
+   return CURLE_OK;
diff --git a/SOURCES/0043-curl-7.76.1-http-fix-crash-in-rate-limited-upload.patch b/SOURCES/0043-curl-7.76.1-http-fix-crash-in-rate-limited-upload.patch
new file mode 100644
index 0000000..df32d62
--- /dev/null
+++ b/SOURCES/0043-curl-7.76.1-http-fix-crash-in-rate-limited-upload.patch
@@ -0,0 +1,42 @@
+From ca8893468f3ca1bcd04a61691878e09b5824180c Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Tue, 29 Jun 2021 11:43:35 -0400
+Subject: [PATCH] http: fix crash in rate-limited upload
+
+- Don't set the size of the piece of data to send to the rate limit if
+  that limit is larger than the buffer size that will hold the piece.
+
+Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
+(curl tool: --limit-rate) was set then it was possible that a temporary
+buffer used for uploading could be written to out of bounds. A likely
+scenario for this would be a non-trivial amount of post data combined
+with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
+
+The bug was introduced in 24e469f which is in releases since 7.76.0.
+
+perl -e "print '0' x 200000" > tmp
+curl --limit-rate 128k -d @tmp httpbin.org/post
+
+Reported-by: Richard Marion
+
+Fixes https://github.com/curl/curl/issues/7308
+Closes https://github.com/curl/curl/pull/7315
+---
+ lib/http.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/http.c b/lib/http.c
+index 6d5d8fb3b2..ac0301bc41 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -1177,6 +1177,7 @@ static size_t readmoredata(char *buffer,
+   data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE;
+ 
+   if(data->set.max_send_speed &&
++     (data->set.max_send_speed < (curl_off_t)fullsize) &&
+      (data->set.max_send_speed < http->postsize))
+     /* speed limit */
+     fullsize = (size_t)data->set.max_send_speed;
+-- 
+2.51.0
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index f833bc0..4e49085 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 34%{?dist}
+Release: 40%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
 
@@ -122,6 +122,15 @@ Patch39:  0039-curl-7.76.1-pause-on-http.patch
 # noproxy: support proxies specified using cidr notation
 Patch40:  0040-curl-7.76.1-noproxy-support-using-cidr.patch
 
+# cookie: don't treat the leading slash as trailing (CVE-2025-9086)
+Patch041: 0041-curl-7.76.1-CVE-2025-9086.patch
+
+# openssl: respect system crypto policy for TLS max version
+Patch042: 0042-curl-7.76.1-respect-system-crypto-policy.patch
+
+# http: fix crash in rate-limited upload
+Patch043: 0043-curl-7.76.1-http-fix-crash-in-rate-limited-upload.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -336,6 +345,9 @@ be installed.
 %patch -P 38 -p1
 %patch -P 39 -p1
 %patch -P 40 -p1
+%patch -P 41 -p1
+%patch -P 42 -p1
+%patch -P 43 -p1
 
 # Fedora patches
 %patch -P 101 -p1
@@ -561,7 +573,26 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Mon Jul 23 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-34
+* Wed Jan 21 2026 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-40
+- openssl: fix libssh compatibility by preserving original SSL_CTX behavior (RHEL-134721)
+
+* Thu Dec 18 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-39
+- openssl: fix libssh compatibility in crypto-policy patch (RHEL-134721)
+
+* Mon Dec 01 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-38
+- http: fix crash in rate-limited upload (RHEL-131696)
+
+* Thu Nov 27 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-37
+- openssl: respect system crypto policy for TLS max version (RHEL-128914)
+
+* Thu Nov 20 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-36
+- rebuild for c9s (RHEL-125838)
+
+* Thu Oct 23 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-35
+- cookie: don't treat the leading slash as trailing (CVE-2025-9086)
+  Resolves: RHEL-121659
+
+* Wed Jul 23 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-34
 - revert several disabled tests related to openssl/valgrind (RHEL-99465)
 
 * Thu May 15 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-33