cmake: Patch HIGH CVE-2024-2398 in bundled curl and MEDIUM CVE-2024-2…

…8182 in bundled nghttp2

SPECS/cmake/CVE-2024-2398.patch

@@ -0,0 +1,94 @@
+From c9adb2114e9d9d4a50ff273234c2a1f8518aafd1 Mon Sep 17 00:00:00 2001
+From: Vince Perri <[email protected]>
+Date: Wed, 20 Nov 2024 22:38:53 +0000
+Subject: [PATCH] http2: push headers better cleanup
+
+Original patch: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6
+---
+ Utilities/cmcurl/lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/http2.c b/Utilities/cmcurl/lib/http2.c
+index f194c18b..50b8cd54 100644
+--- a/Utilities/cmcurl/lib/http2.c
++++ b/Utilities/cmcurl/lib/http2.c
+@@ -116,6 +116,15 @@ static int http2_getsock(struct Curl_easy *data,
+   return bitmap;
+ }
+
++static void free_push_headers(struct HTTP *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ /*
+  * http2_stream_free() free HTTP2 stream related data
+  */
+@@ -123,11 +132,7 @@ static void http2_stream_free(struct HTTP *http)
+ {
+   if(http) {
+     Curl_dyn_free(&http->header_recvbuf);
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
++    free_push_headers(http);
+   }
+ }
+
+@@ -559,7 +564,6 @@ static int push_promise(struct Curl_easy *data,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     struct http_conn *httpc;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = duphandle(data);
+     if(!newhandle) {
+@@ -595,11 +599,7 @@ static int push_promise(struct Curl_easy *data,
+     Curl_set_in_callback(data, false);
+
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1033,10 +1033,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+             stream->push_headers_alloc) {
+       char **headp;
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+@@ -1204,11 +1204,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
+   Curl_dyn_free(&http->trailer_recvbuf);
+   if(http->push_headers) {
+     /* if they weren't used and then freed before */
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
++    free_push_headers(http);
+   }
+
+   if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
+-- 
+2.34.1
+

SPECS/cmake/CVE-2024-28182.patch

@@ -0,0 +1,108 @@
+From 875373fb67097281d4a4ff461e531b9bef947818 Mon Sep 17 00:00:00 2001
+From: Vince Perri <[email protected]>
+Date: Thu, 21 Nov 2024 14:11:36 +0000
+Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
+
+Original patch: https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
+---
+ Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h |  7 ++++++-
+ Utilities/cmnghttp2/lib/nghttp2_helper.c           |  2 ++
+ Utilities/cmnghttp2/lib/nghttp2_session.c          |  8 ++++++++
+ Utilities/cmnghttp2/lib/nghttp2_session.h          | 10 ++++++++++
+ 4 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
+index e4e1d4fc..a140199a 100644
+--- a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
++++ b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
+@@ -428,7 +428,12 @@ typedef enum {
+    * exhaustion on server side to send these frames forever and does
+    * not read network.
+    */
+-  NGHTTP2_ERR_FLOODED = -904
++  NGHTTP2_ERR_FLOODED = -904,
++  /**
++   * When a local endpoint receives too many CONTINUATION frames
++   * following a HEADER frame.
++   */
++  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
+ } nghttp2_error;
+
+ /**
+diff --git a/Utilities/cmnghttp2/lib/nghttp2_helper.c b/Utilities/cmnghttp2/lib/nghttp2_helper.c
+index 91136a61..f150ab54 100644
+--- a/Utilities/cmnghttp2/lib/nghttp2_helper.c
++++ b/Utilities/cmnghttp2/lib/nghttp2_helper.c
+@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_code) {
+   case NGHTTP2_ERR_FLOODED:
+     return "Flooding was detected in this HTTP/2 session, and it must be "
+            "closed";
++  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
++    return "Too many CONTINUATION frames following a HEADER frame";
+   default:
+     return "Unknown error code";
+   }
+diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.c b/Utilities/cmnghttp2/lib/nghttp2_session.c
+index a3c0b708..f02e3f95 100644
+--- a/Utilities/cmnghttp2/lib/nghttp2_session.c
++++ b/Utilities/cmnghttp2/lib/nghttp2_session.c
+@@ -463,6 +463,7 @@ static int session_new(nghttp2_session **session_ptr,
+
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
++  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
+
+   if (option) {
+     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -6297,6 +6298,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           }
+         }
+         session_inbound_frame_reset(session);
++
++        session->num_continuations = 0;
+       }
+       break;
+     }
+@@ -6418,6 +6421,11 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+       }
+ #endif /* DEBUGBUILD */
+
++ 
++      if (++session->num_continuations > session->max_continuations) {
++        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
++      }
++
+       readlen = inbound_frame_buf_read(iframe, in, last);
+       in += readlen;
+
+diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.h b/Utilities/cmnghttp2/lib/nghttp2_session.h
+index b75294c3..f53acac7 100644
+--- a/Utilities/cmnghttp2/lib/nghttp2_session.h
++++ b/Utilities/cmnghttp2/lib/nghttp2_session.h
+@@ -107,6 +107,10 @@ typedef struct {
+ #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+ #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+
++/* The default max number of CONTINUATION frames following an incoming
++   HEADER frame. */
++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
++
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+   /* Receiving frame header */
+@@ -277,6 +281,12 @@ struct nghttp2_session {
+   /* The maximum length of header block to send.  Calculated by the
+      same way as nghttp2_hd_deflate_bound() does. */
+   size_t max_send_header_block_length;
++  /* The maximum number of CONTINUATION frames following an incoming
++     HEADER frame. */
++  size_t max_continuations;
++  /* The number of CONTINUATION frames following an incoming HEADER
++     frame.  This variable is reset when END_HEADERS flag is seen. */
++  size_t num_continuations;
+   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+   uint32_t next_stream_id;
+   /* The last stream ID this session initiated.  For client session,
+-- 
+2.34.1
+

SPECS/cmake/cmake.spec

@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.21.4
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -29,6 +29,8 @@ Patch14:        CVE-2023-27538.patch
 Patch15:        CVE-2023-27535.patch
 Patch16:        CVE-2023-23916.patch
 Patch17:        CVE-2023-46218.patch
+Patch18:        CVE-2024-2398.patch
+Patch19:        CVE-2024-28182.patch
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
 BuildRequires:  curl
@@ -94,6 +96,10 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_prefix}/doc/%{name}-*/*
 
 %changelog
+* Thu Nov 21 2024 Vince Perri <[email protected]> - 3.21.4-14
+- Patch CVE-2024-2398 (bundled curl)
+- Patch CVE-2024-28182 (bundled nghttp2)
+
 * Thu Nov 14 2024 Sharath Srikanth Chellappa <[email protected]> - 3.21.4-13
 - Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218.
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
 chkconfig-1.20-4.cm2.aarch64.rpm
 chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
 chkconfig-lang-1.20-4.cm2.aarch64.rpm
-cmake-3.21.4-13.cm2.aarch64.rpm
-cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm
+cmake-3.21.4-14.cm2.aarch64.rpm
+cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm
 coreutils-8.32-7.cm2.aarch64.rpm
 coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
 coreutils-lang-8.32-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
 chkconfig-1.20-4.cm2.x86_64.rpm
 chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
 chkconfig-lang-1.20-4.cm2.x86_64.rpm
-cmake-3.21.4-13.cm2.x86_64.rpm
-cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm
+cmake-3.21.4-14.cm2.x86_64.rpm
+cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm
 coreutils-8.32-7.cm2.x86_64.rpm
 coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
 coreutils-lang-8.32-7.cm2.x86_64.rpm