From f426b7a513e6affbdeb1256546f0131b3e980501 Mon Sep 17 00:00:00 2001
From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com>
Date: Wed, 29 Jan 2025 12:30:26 -0800
Subject: [PATCH] [AUTO-CHERRYPICK] [Medium] cmake: Fix CVE-2024-7264 and
 CVE-2024-9681 - branch 3.0-dev (#12120)

Co-authored-by: jykanase <v-jykanase@microsoft.com>
---
 SPECS/cmake/CVE-2024-7264.patch               | 122 ++++++++++++++++++
 SPECS/cmake/CVE-2024-9681.patch               |  64 +++++++++
 SPECS/cmake/cmake.spec                        |   7 +-
 .../manifests/package/toolchain_aarch64.txt   |   4 +-
 .../manifests/package/toolchain_x86_64.txt    |   4 +-
 5 files changed, 196 insertions(+), 5 deletions(-)
 create mode 100644 SPECS/cmake/CVE-2024-7264.patch
 create mode 100644 SPECS/cmake/CVE-2024-9681.patch

diff --git a/SPECS/cmake/CVE-2024-7264.patch b/SPECS/cmake/CVE-2024-7264.patch
new file mode 100644
index 00000000000..abe7a576d83
--- /dev/null
+++ b/SPECS/cmake/CVE-2024-7264.patch
@@ -0,0 +1,122 @@
+From e09204d779434ff6ed01532ee8c04c44018b8abe Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Mon, 27 Jan 2025 05:08:31 +0000
+Subject: [PATCH] CVE-2024-7264
+
+---
+ Utilities/cmcurl/lib/vtls/x509asn1.c | 51 ++++++++++++++++++++--------
+ Utilities/cmcurl/lib/vtls/x509asn1.h | 11 ++++++
+ 2 files changed, 47 insertions(+), 15 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/vtls/x509asn1.c b/Utilities/cmcurl/lib/vtls/x509asn1.c
+index ed84032a..b5412c50 100644
+--- a/Utilities/cmcurl/lib/vtls/x509asn1.c
++++ b/Utilities/cmcurl/lib/vtls/x509asn1.c
+@@ -491,7 +491,7 @@ static CURLcode GTime2str(struct dynbuf *store,
+   /* Convert an ASN.1 Generalized time to a printable string.
+      Return the dynamically allocated string, or NULL if an error occurs. */
+ 
+-  for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
++  for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
+     ;
+ 
+   /* Get seconds digits. */
+@@ -510,32 +510,44 @@ static CURLcode GTime2str(struct dynbuf *store,
+     return CURLE_BAD_FUNCTION_ARGUMENT;
+   }
+ 
+-  /* Scan for timezone, measure fractional seconds. */
++  /* timezone follows optional fractional seconds. */
+   tzp = fracp;
+-  fracl = 0;
++  fracl = 0; /* no fractional seconds detected so far */
+   if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+-    fracp++;
+-    do
++    /* Have fractional seconds, e.g. "[.,]\d+". How many? */
++    fracp++; /* should be a digit char or BAD ARGUMENT */
++    tzp = fracp;
++    while(tzp < end && ISDIGIT(*tzp))
+       tzp++;
+-    while(tzp < end && *tzp >= '0' && *tzp <= '9');
+-    /* Strip leading zeroes in fractional seconds. */
+-    for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
+-      ;
++    if(tzp == fracp) /* never looped, no digit after [.,] */
++      return CURLE_BAD_FUNCTION_ARGUMENT;
++    fracl = tzp - fracp; /* number of fractional sec digits */
++    DEBUGASSERT(fracl > 0);
++    /* Strip trailing zeroes in fractional seconds.
++     * May reduce fracl to 0 if only '0's are present. */
++    while(fracl && fracp[fracl - 1] == '0')
++      fracl--;
+   }
+ 
+   /* Process timezone. */
+-  if(tzp >= end)
+-    ;           /* Nothing to do. */
++  if(tzp >= end) {
++    tzp = "";
++    tzl = 0;
++  }
+   else if(*tzp == 'Z') {
+-    tzp = " GMT";
+-    end = tzp + 4;
++    sep = " ";
++    tzp = "GMT";
++    tzl = 3;
++  }
++  else if((*tzp == '+') || (*tzp == '-')) {
++    sep = " UTC";
++    tzl = end - tzp;
+   }
+   else {
+     sep = " ";
+-    tzp++;
++    tzl = end - tzp;
+   }
+ 
+-  tzl = end - tzp;
+   return Curl_dyn_addf(store,
+                        "%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
+                        beg, beg + 4, beg + 6,
+@@ -544,6 +556,15 @@ static CURLcode GTime2str(struct dynbuf *store,
+                        sep, (int)tzl, tzp);
+ }
+ 
++#ifdef UNITTESTS
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++                             const char *beg, const char *end)
++{
++  return GTime2str(store, beg, end);
++}
++#endif
++
+ /*
+  * Convert an ASN.1 UTC time to a printable string.
+  *
+diff --git a/Utilities/cmcurl/lib/vtls/x509asn1.h b/Utilities/cmcurl/lib/vtls/x509asn1.h
+index 23a67b82..1d8bbabc 100644
+--- a/Utilities/cmcurl/lib/vtls/x509asn1.h
++++ b/Utilities/cmcurl/lib/vtls/x509asn1.h
+@@ -76,5 +76,16 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum,
+                                const char *beg, const char *end);
+ CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
+                          const char *beg, const char *end);
++
++#ifdef UNITTESTS
++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
++  defined(USE_MBEDTLS)
++
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++                             const char *beg, const char *end);
++#endif
++#endif
++
+ #endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP */
+ #endif /* HEADER_CURL_X509ASN1_H */
+-- 
+2.45.2
+
diff --git a/SPECS/cmake/CVE-2024-9681.patch b/SPECS/cmake/CVE-2024-9681.patch
new file mode 100644
index 00000000000..c3e83e24c01
--- /dev/null
+++ b/SPECS/cmake/CVE-2024-9681.patch
@@ -0,0 +1,64 @@
+From 62c0d5d5862df10ac671f5a94d49d30ec025aae2 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Tue, 21 Jan 2025 11:57:45 +0000
+Subject: [PATCH] CVE-2024-9681.patch
+
+Backported form: https://github.com/curl/curl/commit/a94973805df96269bf
+---
+ Utilities/cmcurl/lib/hsts.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/hsts.c b/Utilities/cmcurl/lib/hsts.c
+index a5e76761..d1e434f2 100644
+--- a/Utilities/cmcurl/lib/hsts.c
++++ b/Utilities/cmcurl/lib/hsts.c
+@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;
+   if(h) {
+     char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -279,15 +281,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         if(ntail < hlen) {
+           size_t offs = hlen - ntail;
+           if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
++             strncasecompare(&hostname[offs], sts->host, ntail) &&
++             (ntail > blen)) {
++            /* save the tail match with the longest tail */
++            bestsub = sts;
++            blen = ntail;
++          }
+         }
+       }
+       if(strcasecompare(hostname, sts->host))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub;
+ }
+ 
+ /*
+@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(strcasecompare(p, e->host)) {
+       /* the same host name, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+-- 
+2.45.2
+
diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec
index cdbe4a585e2..6ba79565935 100644
--- a/SPECS/cmake/cmake.spec
+++ b/SPECS/cmake/cmake.spec
@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.30.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -15,6 +15,8 @@ Patch1:         CVE-2024-6197.patch
 Patch2:         CVE-2024-6874.patch
 Patch3:         CVE-2024-8096.patch
 Patch4:         CVE-2024-11053.patch
+Patch5:         CVE-2024-7264.patch
+Patch6:         CVE-2024-9681.patch
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
 BuildRequires:  curl
@@ -94,6 +96,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_libdir}/rpm/macros.d/macros.cmake
 
 %changelog
+* Tue Jan 22 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 3.30.3-4
+- Fix CVE-2024-7264 and CVE-2024-9681
+
 * Wed Jan 15 2025 Henry Beberman <henry.beberman@microsoft.com> - 3.30.3-3
 - Patch vendored curl for CVE-2024-11053
 
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 877530ca4d9..6fd6abb7d51 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -49,8 +49,8 @@ check-debuginfo-0.15.2-1.azl3.aarch64.rpm
 chkconfig-1.25-1.azl3.aarch64.rpm
 chkconfig-debuginfo-1.25-1.azl3.aarch64.rpm
 chkconfig-lang-1.25-1.azl3.aarch64.rpm
-cmake-3.30.3-3.azl3.aarch64.rpm
-cmake-debuginfo-3.30.3-3.azl3.aarch64.rpm
+cmake-3.30.3-4.azl3.aarch64.rpm
+cmake-debuginfo-3.30.3-4.azl3.aarch64.rpm
 coreutils-9.4-6.azl3.aarch64.rpm
 coreutils-debuginfo-9.4-6.azl3.aarch64.rpm
 coreutils-lang-9.4-6.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 420838c98c0..b352b9c84ae 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -52,8 +52,8 @@ check-debuginfo-0.15.2-1.azl3.x86_64.rpm
 chkconfig-1.25-1.azl3.x86_64.rpm
 chkconfig-debuginfo-1.25-1.azl3.x86_64.rpm
 chkconfig-lang-1.25-1.azl3.x86_64.rpm
-cmake-3.30.3-3.azl3.x86_64.rpm
-cmake-debuginfo-3.30.3-3.azl3.x86_64.rpm
+cmake-3.30.3-4.azl3.x86_64.rpm
+cmake-debuginfo-3.30.3-4.azl3.x86_64.rpm
 coreutils-9.4-6.azl3.x86_64.rpm
 coreutils-debuginfo-9.4-6.azl3.x86_64.rpm
 coreutils-lang-9.4-6.azl3.x86_64.rpm