From 9af7a38c3866bd7d0a42344220ef8ebc0fdd810d Mon Sep 17 00:00:00 2001
From: Amit Karsale <amit.karsale@perforce.com>
Date: Fri, 30 Aug 2024 17:29:31 +0530
Subject: [PATCH] (PA-6878) Patch agent-runtime-7.x and main Curl for
 CVE-2024-7264

---
 configs/components/curl.rb                 |  5 +-
 configs/projects/agent-runtime-main.rb     |  2 +-
 resources/patches/curl/CVE-2024-7264.patch | 93 ++++++++++++++++++++++
 3 files changed, 97 insertions(+), 3 deletions(-)
 create mode 100644 resources/patches/curl/CVE-2024-7264.patch

diff --git a/configs/components/curl.rb b/configs/components/curl.rb
index b7100d54e..e2efe4df0 100644
--- a/configs/components/curl.rb
+++ b/configs/components/curl.rb
@@ -6,8 +6,8 @@
   case version
   when '7.88.1'
     pkg.sha256sum 'cdb38b72e36bc5d33d5b8810f8018ece1baa29a8f215b4495e495ded82bbf3c7'
-  when '8.7.1'
-    pkg.sha256sum 'f91249c87f68ea00cf27c44fdfa5a78423e41e71b7d408e5901a9896d905c495'
+  when '8.9.1'
+    pkg.sha256sum '291124a007ee5111997825940b3876b3048f7d31e73e9caa681b80fe48b2dcd5'
   else
     raise "curl version #{version} has not been configured; Cannot continue."
   end
@@ -47,6 +47,7 @@
     pkg.apply_patch 'resources/patches/curl/CVE-2023-46218.patch'
     pkg.apply_patch 'resources/patches/curl/CVE-2024-2004.patch'
     pkg.apply_patch 'resources/patches/curl/CVE-2024-2398.patch'
+    pkg.apply_patch 'resources/patches/curl/CVE-2024-7264.patch'
   end
 
   configure_options = []
diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb
index 1d062e8f9..4f3e8398e 100644
--- a/configs/projects/agent-runtime-main.rb
+++ b/configs/projects/agent-runtime-main.rb
@@ -14,7 +14,7 @@
     proj.setting :augeas_version, '1.14.1'
   end
 
-  proj.setting :curl_version, '8.7.1'
+  proj.setting :curl_version, '8.9.1'
 
   ########
   # Load shared agent settings
diff --git a/resources/patches/curl/CVE-2024-7264.patch b/resources/patches/curl/CVE-2024-7264.patch
new file mode 100644
index 000000000..220a13800
--- /dev/null
+++ b/resources/patches/curl/CVE-2024-7264.patch
@@ -0,0 +1,93 @@
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index 39e4fb33b..7e2e3d724 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -566,28 +566,40 @@ static const char *GTime2str(const char *beg, const char *end)
+   tzp = fracp;
+   fracl = 0;
+   if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+-    fracp++;
+-    do
++    /* Have fractional seconds, e.g. "[.,]\d+". How many? */
++    fracp++; /* should be a digit char or BAD ARGUMENT */
++    tzp = fracp;
++    while(tzp < end && ISDIGIT(*tzp))
+       tzp++;
+-    while(tzp < end && *tzp >= '0' && *tzp <= '9');
+-    /* Strip leading zeroes in fractional seconds. */
+-    for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
+-      ;
++    if(tzp == fracp) /* never looped, no digit after [.,] */
++      return CURLE_BAD_FUNCTION_ARGUMENT;
++    fracl = tzp - fracp; /* number of fractional sec digits */
++    DEBUGASSERT(fracl > 0);
++    /* Strip trailing zeroes in fractional seconds.
++     * May reduce fracl to 0 if only '0's are present. */
++    while(fracl && fracp[fracl - 1] == '0')
++      fracl--;
+   }
+ 
+   /* Process timezone. */
+-  if(tzp >= end)
+-    ;           /* Nothing to do. */
++  if(tzp >= end) {
++    sep = " ";
++    tzp = "GMT";
++    tzl = 3;
++  }
++  else if((*tzp == '+') || (*tzp == '-')) {
++    sep = " UTC";
++    tzl = end - tzp;
++  }         /* Nothing to do. */
+   else if(*tzp == 'Z') {
+     tzp = " GMT";
+     end = tzp + 4;
+   }
+   else {
+     sep = " ";
+-    tzp++;
++    tzl = end - tzp;
+   }
+ 
+-  tzl = end - tzp;
+   return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
+                        beg, beg + 4, beg + 6,
+                        beg + 8, beg + 10, sec1, sec2,
+@@ -595,6 +607,15 @@ static const char *GTime2str(const char *beg, const char *end)
+                        sep, (int)tzl, tzp);
+ }
+ 
++#ifdef UNITTESTS
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++                             const char *beg, const char *end)
++{
++  return GTime2str(store, beg, end);
++}
++#endif
++
+ /*
+  *  Convert an ASN.1 UTC time to a printable string.
+  * Return the dynamically allocated string, or NULL if an error occurs.
+diff --git a/lib/vtls/x509asn1.h b/lib/vtls/x509asn1.h
+index 5496de40e..93925718c 100644
+--- a/lib/vtls/x509asn1.h
++++ b/lib/vtls/x509asn1.h
+@@ -76,6 +76,17 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum,
+                                const char *beg, const char *end);
+ CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
+                          const char *beg, const char *end);
++
++#ifdef UNITTESTS
++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
++  defined(USE_MBEDTLS)
++
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++                             const char *beg, const char *end);
++#endif
++#endif
++
+ #endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL
+         * or USE_SECTRANSP */
+ #endif /* HEADER_CURL_X509ASN1_H */