From 41e7fc4aa8ac5ce01304ab3996016de41eef8931 Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Sat, 26 Oct 2024 01:36:34 +0800
Subject: [PATCH] fix CVE-2024-9681

---
 backport-fix-CVE-2024-9681.patch | 102 +++++++++++++++++++++++++++++++
 curl.spec                        |   9 ++-
 2 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 backport-fix-CVE-2024-9681.patch

diff --git a/backport-fix-CVE-2024-9681.patch b/backport-fix-CVE-2024-9681.patch
new file mode 100644
index 0000000..0b38ae4
--- /dev/null
+++ b/backport-fix-CVE-2024-9681.patch
@@ -0,0 +1,102 @@
+From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 26 Oct 2024 01:31:33 +0800
+Subject: [PATCH] hsts: improve subdomain handling
+
+- on load, only replace existing HSTS entries if there is a full host
+  match
+
+- on matching, prefer a full host match and secondary the longest tail
+  subdomain match
+
+Closes #15210
+Conflict:Adaptation of community patches with reference to other vendors' modification
+         1.Context adaptation 
+         2.strncasecompare(&hostname[offs], sts->host, ntail)=>Curl_strncasecompare(&hostname[offs], sts->host, ntail)
+         3.Added if((hlen == ntail) && Curl_strncasecompare(hostname, sts->host, hlen)) modification.
+Reference:https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313316
+
+---
+ lib/hsts.c          | 26 ++++++++++++++++----------
+ tests/data/test1660 |  2 +-
+ 2 files changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 6035995..52ee6bb 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -238,13 +238,16 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;	
+   if(h) {
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+     for(e = h->list.head; e; e = n) {
+       struct stsentry *sts = e->ptr;
++      size_t ntail;
+       n = e->next;
+       if(sts->expires <= now) {
+         /* remove expired entries */
+@@ -252,20 +255,23 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         hsts_free(sts);
+         continue;
+       }
+-      if(subdomain && sts->includeSubDomains) {
+-        size_t ntail = strlen(sts->host);
+-        if(ntail < hlen) {
+-          size_t offs = hlen - ntail;
+-          if((hostname[offs-1] == '.') &&
+-             Curl_strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
++      ntail = strlen(sts->host);
++      if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
++        size_t offs = hlen - ntail;
++        if((hostname[offs-1] == '.') &&
++           Curl_strncasecompare(&hostname[offs], sts->host, ntail) &&
++           (ntail > blen)) {
++          /* save the tail match with the longest tail */
++          bestsub = sts;
++          blen = ntail;
+         }
+       }
+-      if(Curl_strcasecompare(hostname, sts->host))
++      /* avoid strcasecompare because the host name is not null terminated */
++      if((hlen == ntail) && Curl_strncasecompare(hostname, sts->host, hlen))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub;
+ }
+ 
+ /*
+@@ -417,7 +423,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(Curl_strcasecompare(p, e->host)) {	
+       /* the same host name, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index cbbcf75..662026b 100644
+--- a/tests/data/test1660
++++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
++3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
+-- 
+2.43.0
+
diff --git a/curl.spec b/curl.spec
index 376b512..db660e3 100644
--- a/curl.spec
+++ b/curl.spec
@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.79.1
-Release:        32
+Release:        33
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -107,6 +107,7 @@ Patch93:        backport-CVE-2024-7264-x509asn1-clean-up-GTime2str.patch
 Patch94:        backport-CVE-2024-7264-x509asn1-unittests-and-fixes-fo.patch
 Patch95:        backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch
 Patch96:        backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch
+Patch97:        backport-fix-CVE-2024-9681.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -275,6 +276,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Wed Nov 13 2024 changtao <changtao@kylinos.cn> - 7.79.1-33
+- Type:CVE
+- CVE:CVE-2024-9681
+- SUG:NA
+- DESC:FIX CVE-2024-9681
+
 * Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-32
 - Type:bugfix
 - CVE:NA
-- 
Gitee