(PA-6878) Patch agent-runtime-7.x and main Curl for CVE-2024-7264

puppetlabs · Aug 23, 2024 · 2b9c990 · 2b9c990
1 parent d9873e5
commit 2b9c990
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 3 deletions.
diff --git a/configs/components/curl.rb b/configs/components/curl.rb
@@ -6,8 +6,8 @@
  case version
  when '7.88.1'
  pkg.sha256sum 'cdb38b72e36bc5d33d5b8810f8018ece1baa29a8f215b4495e495ded82bbf3c7'
- when '8.7.1'
- pkg.sha256sum 'f91249c87f68ea00cf27c44fdfa5a78423e41e71b7d408e5901a9896d905c495'
+ when '8.9.1'
+ pkg.sha256sum '291124a007ee5111997825940b3876b3048f7d31e73e9caa681b80fe48b2dcd5'
  else
  raise "curl version #{version} has not been configured; Cannot continue."
  end
@@ -47,6 +47,7 @@
  pkg.apply_patch 'resources/patches/curl/CVE-2023-46218.patch'
  pkg.apply_patch 'resources/patches/curl/CVE-2024-2004.patch'
  pkg.apply_patch 'resources/patches/curl/CVE-2024-2398.patch'
+ pkg.apply_patch 'resources/patches/curl/CVE-2024-7264.patch'
  end
 
  configure_options = []

diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb
@@ -14,7 +14,7 @@
  proj.setting :augeas_version, '1.14.1'
  end
 
- proj.setting :curl_version, '8.7.1'
+ proj.setting :curl_version, '8.9.1'
 
  ########
  # Load shared agent settings

diff --git a/resources/patches/curl/CVE-2024-7264.patch b/resources/patches/curl/CVE-2024-7264.patch
@@ -0,0 +1,84 @@
+--- a/lib/x509asn1.c
++++ b/lib/x509asn1.c
+@@ -493,12 +493,13 @@ static const char *GTime2str(const char
+ fracl = 0; /* no fractional seconds detected so far */
+ if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
+- tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
++ fracp++; /* should be a digit char or BAD ARGUMENT */
++ tzp = fracp;
+ while(tzp < end && ISDIGIT(*tzp))
+ tzp++;
+ if(tzp == fracp) /* never looped, no digit after [.,] */
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+- fracl = tzp - fracp - 1; /* number of fractional sec digits */
++ fracl = tzp - fracp; /* number of fractional sec digits */
+ DEBUGASSERT(fracl > 0);
+ /* Strip trailing zeroes in fractional seconds.
+ * May reduce fracl to 0 if only '0's are present. */
+@@ -507,18 +508,24 @@ static const char *GTime2str(const char
+ }
+
+ /* Process timezone. */
+- if(tzp >= end)
+- ; /* Nothing to do. */
++ if(tzp >= end) {
++ tzp = "";
++ tzl = 0;
++ }
+ else if(*tzp == 'Z') {
+- tzp = " GMT";
+- end = tzp + 4;
++ sep = " ";
++ tzp = "GMT";
++ tzl = 3;
++ }
++ else if((*tzp == '+') || (*tzp == '-')) {
++ sep = " UTC";
++ tzl = end - tzp;
+ }
+ else {
+ sep = " ";
+- tzp++;
++ tzl = end - tzp;
+ }
+
+- tzl = end - tzp;
+ return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
+ beg, beg + 4, beg + 6,
+ beg + 8, beg + 10, sec1, sec2,
+@@ -526,6 +533,15 @@ static const char *GTime2str(const char
+ sep, tzl, tzp);
+ }
+
++#ifdef UNITTESTS
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++ const char *beg, const char *end)
++{
++ return GTime2str(store, beg, end);
++}
++#endif
++
+ /*
+ * Convert an ASN.1 UTC time to a printable string.
+ * Return the dynamically allocated string, or NULL if an error occurs.
+--- a/lib/x509asn1.h
++++ b/lib/x509asn1.h
+@@ -130,5 +130,16 @@ CURLcode Curl_extract_certinfo(struct co
+ const char *beg, const char *end);
+ CURLcode Curl_verifyhost(struct connectdata *conn,
+ const char *beg, const char *end);
++
++#ifdef UNITTESTS
++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
++ defined(USE_MBEDTLS)
++
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++ const char *beg, const char *end);
++#endif
++#endif
++
+ #endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL */
+ #endif /* HEADER_CURL_X509ASN1_H */