Skip to content

[Low] Patch curl for CVE-2025-0167 #13182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 10, 2025
Merged

[Low] Patch curl for CVE-2025-0167 #13182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions SPECS/curl/CVE-2025-0167.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
From 9ef089b45f439bc1885ab7ee3e074ecc86a8bfcc Mon Sep 17 00:00:00 2001
From: Sreenivasulu Malavathula <[email protected]>
Date: Fri, 28 Mar 2025 18:08:43 -0500
Subject: [PATCH] Address CVE-2025-0167
Upstream Patch Reference: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e

---
lib/netrc.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/lib/netrc.c b/lib/netrc.c
index 64efdc0..6053fa6 100644
--- a/lib/netrc.c
+++ b/lib/netrc.c
@@ -263,11 +263,17 @@ static int parsenetrc(const char *host,

out:
Curl_dyn_free(&buf);
- if(!retcode && !password && our_login) {
- /* success without a password, set a blank one */
- password = strdup("");
- if(!password)
- retcode = 1; /* out of memory */
+ if(!retcode) {
+ if(!password && our_login) {
+ /* success without a password, set a blank one */
+ password = strdup("");
+ if(!password)
+ retcode = 1; /* out of memory */
+ }
+ else if(!login && !password) {
+ /* a default with no credentials */
+ retcode = NETRC_FILE_MISSING;
+ }
}
if(!retcode) {
/* success */
--
2.45.2

6 changes: 5 additions & 1 deletion SPECS/curl/curl.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: An URL retrieval utility and library
Name: curl
Version: 8.8.0
Release: 5%{?dist}
Release: 6%{?dist}
License: curl
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -12,6 +12,7 @@ Patch0: CVE-2024-6197.patch
Patch1: CVE-2024-8096.patch
Patch2: CVE-2024-11053.patch
Patch3: CVE-2024-9681.patch
Patch4: CVE-2025-0167.patch
BuildRequires: krb5-devel
BuildRequires: libssh2-devel
BuildRequires: nghttp2-devel
Expand Down Expand Up @@ -89,6 +90,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
%{_libdir}/libcurl.so.*

%changelog
* Fri Mar 28 2025 Sreeniavsulu Malavathula <[email protected]> - 8.8.0-6
- Fix CVE-2025-0167 with an upstream patch

* Wed Feb 26 2025 Bhagyashri Pathak <[email protected]> - 8.8.0-5
- Patch CVE-2024-9681

Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/pkggen_core_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.aarch64.rpm
libssh2-devel-1.9.0-4.cm2.aarch64.rpm
krb5-1.19.4-3.cm2.aarch64.rpm
nghttp2-1.57.0-2.cm2.aarch64.rpm
curl-8.8.0-5.cm2.aarch64.rpm
curl-devel-8.8.0-5.cm2.aarch64.rpm
curl-libs-8.8.0-5.cm2.aarch64.rpm
curl-8.8.0-6.cm2.aarch64.rpm
curl-devel-8.8.0-6.cm2.aarch64.rpm
curl-libs-8.8.0-6.cm2.aarch64.rpm
createrepo_c-0.17.5-1.cm2.aarch64.rpm
libxml2-2.10.4-6.cm2.aarch64.rpm
libxml2-devel-2.10.4-6.cm2.aarch64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/pkggen_core_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.x86_64.rpm
libssh2-devel-1.9.0-4.cm2.x86_64.rpm
krb5-1.19.4-3.cm2.x86_64.rpm
nghttp2-1.57.0-2.cm2.x86_64.rpm
curl-8.8.0-5.cm2.x86_64.rpm
curl-devel-8.8.0-5.cm2.x86_64.rpm
curl-libs-8.8.0-5.cm2.x86_64.rpm
curl-8.8.0-6.cm2.x86_64.rpm
curl-devel-8.8.0-6.cm2.x86_64.rpm
curl-libs-8.8.0-6.cm2.x86_64.rpm
createrepo_c-0.17.5-1.cm2.x86_64.rpm
libxml2-2.10.4-6.cm2.x86_64.rpm
libxml2-devel-2.10.4-6.cm2.x86_64.rpm
Expand Down
8 changes: 4 additions & 4 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm
createrepo_c-0.17.5-1.cm2.aarch64.rpm
createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm
createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm
curl-8.8.0-5.cm2.aarch64.rpm
curl-debuginfo-8.8.0-5.cm2.aarch64.rpm
curl-devel-8.8.0-5.cm2.aarch64.rpm
curl-libs-8.8.0-5.cm2.aarch64.rpm
curl-8.8.0-6.cm2.aarch64.rpm
curl-debuginfo-8.8.0-6.cm2.aarch64.rpm
curl-devel-8.8.0-6.cm2.aarch64.rpm
curl-libs-8.8.0-6.cm2.aarch64.rpm
Cython-debuginfo-0.29.33-2.cm2.aarch64.rpm
debugedit-5.0-2.cm2.aarch64.rpm
debugedit-debuginfo-5.0-2.cm2.aarch64.rpm
Expand Down
8 changes: 4 additions & 4 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,10 @@ createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
cross-binutils-common-2.37-14.cm2.noarch.rpm
cross-gcc-common-11.2.0-8.cm2.noarch.rpm
curl-8.8.0-5.cm2.x86_64.rpm
curl-debuginfo-8.8.0-5.cm2.x86_64.rpm
curl-devel-8.8.0-5.cm2.x86_64.rpm
curl-libs-8.8.0-5.cm2.x86_64.rpm
curl-8.8.0-6.cm2.x86_64.rpm
curl-debuginfo-8.8.0-6.cm2.x86_64.rpm
curl-devel-8.8.0-6.cm2.x86_64.rpm
curl-libs-8.8.0-6.cm2.x86_64.rpm
Cython-debuginfo-0.29.33-2.cm2.x86_64.rpm
debugedit-5.0-2.cm2.x86_64.rpm
debugedit-debuginfo-5.0-2.cm2.x86_64.rpm
Expand Down
Loading