From 6d9cf901292a8d833b572996fbbe3df42846d53d Mon Sep 17 00:00:00 2001
From: Jacek Migacz <jmigacz@redhat.com>
Date: Mon, 20 Oct 2025 23:02:40 +0200
Subject: [PATCH] cookie: don't treat the leading slash as trailing
 (CVE-2025-9086)

Resolves: RHEL-121672
---
 0001-curl-8.12.1-CVE-2025-9086.patch | 48 ++++++++++++++++++++++++++++
 curl.spec                            |  9 +++++-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 0001-curl-8.12.1-CVE-2025-9086.patch

diff --git a/0001-curl-8.12.1-CVE-2025-9086.patch b/0001-curl-8.12.1-CVE-2025-9086.patch
new file mode 100644
index 0000000..2d046a2
--- /dev/null
+++ b/0001-curl-8.12.1-CVE-2025-9086.patch
@@ -0,0 +1,48 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+---
+ lib/cookie.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 914a4aca12ac..b72dd99bce9b 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -296,7 +296,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
++  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data,
+          clist->spath && co->spath && /* both have paths */
+          clist->secure && !co->secure && !secure) {
+         size_t cllen;
+-        const char *sep;
++        const char *sep = NULL;
+ 
+         /*
+          * A non-secure cookie may not overlay an existing secure cookie.
+@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data,
+          * "/loginhelper" is ok.
+          */
+ 
+-        sep = strchr(clist->spath + 1, '/');
+-
++        DEBUGASSERT(clist->spath[0]);
++        if(clist->spath[0])
++          sep = strchr(clist->spath + 1, '/');
+         if(sep)
+           cllen = sep - clist->spath;
+         else
diff --git a/curl.spec b/curl.spec
index 14dd417..b95497a 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 8.12.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: curl
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc
 
+# cookie: don't treat the leading slash as trailing (CVE-2025-9086)
+Patch001: 0001-curl-8.12.1-CVE-2025-9086.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -395,6 +398,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Mon Oct 20 2025 Jacek Migacz <jmigacz@redhat.com> - 8.12.1-3
+- cookie: don't treat the leading slash as trailing (CVE-2025-9086)
+  Resolves: RHEL-121672
+
 * Tue Apr 15 2025 Jacek Migacz <jmigacz@redhat.com> - 8.12.1-2
 - revert using tls-ca-bundle.pem instead of ca-bundle.crt (RHEL-56966)
   (temporary revert to workaround another issue RHEL-85608)