From e50f056c84898ae5f85096a6073a0d7da1c7f4fd Mon Sep 17 00:00:00 2001
From: yangl777 <yanglu72@h-partners.com>
Date: Mon, 11 Nov 2024 10:48:42 +0000
Subject: [PATCH] fix CVE-2024-9681

(cherry picked from commit 2e051d6a465bf85f4af2a922bc424964b8e1b412)
---
 backport-CVE-2024-9681.patch     | 82 ++++++++++++++++++++++++++++++++
 backport-pre-CVE-2024-9681.patch | 69 +++++++++++++++++++++++++++
 curl.spec                        | 10 +++-
 3 files changed, 160 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-9681.patch
 create mode 100644 backport-pre-CVE-2024-9681.patch

diff --git a/backport-CVE-2024-9681.patch b/backport-CVE-2024-9681.patch
new file mode 100644
index 0000000..6b5abae
--- /dev/null
+++ b/backport-CVE-2024-9681.patch
@@ -0,0 +1,82 @@
+From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 9 Oct 2024 10:04:35 +0200
+Subject: [PATCH] hsts: improve subdomain handling
+
+- on load, only replace existing HSTS entries if there is a full host
+  match
+
+- on matching, prefer a full host match and secondary the longest tail
+  subdomain match
+
+Closes #15210
+Conflict:Context adapt
+Reference:https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313316
+---
+ lib/hsts.c          | 14 ++++++++++----
+ tests/data/test1660 |  2 +-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index d5e883f51ef0f7..12052ce53c1c5a 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -249,11 +249,13 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;
+   if(h) {
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -275,15 +277,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+       if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
+         size_t offs = hlen - ntail;
+         if((hostname[offs-1] == '.') &&
+-           strncasecompare(&hostname[offs], sts->host, ntail))
+-          return sts;
++           strncasecompare(&hostname[offs], sts->host, ntail) &&
++           (ntail > blen)) {
++          /* save the tail match with the longest tail */
++          bestsub = sts;
++          blen = ntail;
++        }
+       }
+       /* avoid strcasecompare because the host name is not null terminated */
+       if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub;
+ }
+ 
+ /*
+@@ -435,7 +441,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(strcasecompare(p, e->host)) {
+       /* the same host name, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index f86126d19cf269..4b6f9615c9d517 100644
+--- a/tests/data/test1660
++++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
++3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
diff --git a/backport-pre-CVE-2024-9681.patch b/backport-pre-CVE-2024-9681.patch
new file mode 100644
index 0000000..cac0ac4
--- /dev/null
+++ b/backport-pre-CVE-2024-9681.patch
@@ -0,0 +1,69 @@
+From 60d8663afb0fb7f113604404c50840dfe9320039 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Oct 2024 11:20:40 +0200
+Subject: [PATCH] hsts: avoid the local buffer and memcpy on lookup
+
+Closes #15190
+Conflict:Context adapt
+Reference:https://github.com/curl/curl/commit/60d8663afb0fb7f113604404c50840dfe9320039
+---
+ lib/hsts.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 7ecf004..f5e5bbf 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -250,7 +250,6 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
+   if(h) {
+-    char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+@@ -258,15 +257,13 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+-    memcpy(buffer, hostname, hlen);
+     if(hostname[hlen-1] == '.')
+       /* remove the trailing dot */
+       --hlen;
+-    buffer[hlen] = 0;
+-    hostname = buffer;
+ 
+     for(e = h->list.head; e; e = n) {
+       struct stsentry *sts = e->ptr;
++      size_t ntail;
+       n = e->next;
+       if(sts->expires <= now) {
+         /* remove expired entries */
+@@ -274,16 +271,15 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         hsts_free(sts);
+         continue;
+       }
+-      if(subdomain && sts->includeSubDomains) {
+-        size_t ntail = strlen(sts->host);
+-        if(ntail < hlen) {
+-          size_t offs = hlen - ntail;
+-          if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
+-        }
++      ntail = strlen(sts->host);
++      if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
++        size_t offs = hlen - ntail;
++        if((hostname[offs-1] == '.') &&
++           strncasecompare(&hostname[offs], sts->host, ntail))
++          return sts;
+       }
+-      if(strcasecompare(hostname, sts->host))
++      /* avoid strcasecompare because the host name is not null terminated */
++      if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
+         return sts;
+     }
+   }
+-- 
+2.43.0
+
diff --git a/curl.spec b/curl.spec
index 5325732..b110d07 100644
--- a/curl.spec
+++ b/curl.spec
@@ -7,7 +7,7 @@
 
 Name:           curl
 Version:        8.4.0
-Release:        10
+Release:        11
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        curl
 URL:            https://curl.se/
@@ -34,6 +34,8 @@ Patch25:        backport-CVE-2024-7264-x509asn1-clean-up-GTime2str.patch
 Patch26:        backport-CVE-2024-7264-x509asn1-unittests-and-fixes-fo.patch
 Patch27:        backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch
 Patch28:        backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch
+Patch29:        backport-pre-CVE-2024-9681.patch
+Patch30:        backport-CVE-2024-9681.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -219,6 +221,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Mon Nov 11 2024 yanglu <yanglu72@h-partners.com> - 8.4.0-11
+- Type:CVE
+- CVE:CVE-2024-9681
+- SUG:NA
+- DESC:fix CVE-2024-9681
+
 * Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-10
 - Type:bugfix
 - CVE:NA
-- 
Gitee