From b96da1b05eacc4c67a2c0062fa6804c8c4832836 Mon Sep 17 00:00:00 2001
From: sherlock2010 <15151851377@163.com>
Date: Fri, 12 Sep 2025 11:36:35 +0800
Subject: [PATCH] fix CVE-2025-9086 CVE-2025-10148

(cherry picked from commit 7b04731a5c3d4f27f683f390aeffe6ff395fc51c)
---
 backport-CVE-2025-10148.patch | 52 ++++++++++++++++++++++++++++++++
 backport-CVE-2025-9086.patch  | 56 +++++++++++++++++++++++++++++++++++
 curl.spec                     | 10 ++++++-
 3 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-10148.patch
 create mode 100644 backport-CVE-2025-9086.patch

diff --git a/backport-CVE-2025-10148.patch b/backport-CVE-2025-10148.patch
new file mode 100644
index 0000000..5800d8d
--- /dev/null
+++ b/backport-CVE-2025-10148.patch
@@ -0,0 +1,52 @@
+From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 8 Sep 2025 14:14:15 +0200
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+
+Reported-by: Calvin Ruocco
+Closes #18496
+
+Conflict:context adapt
+infof msg adapt
+delete DEBUGBUILD condition which not exist
+Reference:https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa7fa806fa0f2
+---
+ lib/ws.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ws.c b/lib/ws.c
+index e973409b6..3b6542816 100644
+--- a/lib/ws.c
++++ b/lib/ws.c
+@@ -875,6 +875,12 @@ static CURLcode ws_enc_add_frame(struct Curl_easy *data,
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+ 
++  /* 4 bytes random */
++
++  result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
++  if(result)
++    return result;
++
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -1335,14 +1347,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+ 
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-  infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
++  infof(data, "Received 101, switch to WebSocket");
+ 
+   if(data->set.connect_only) {
+     ssize_t nwritten;
+-- 
+2.43.0
+
diff --git a/backport-CVE-2025-9086.patch b/backport-CVE-2025-9086.patch
new file mode 100644
index 0000000..ed375ed
--- /dev/null
+++ b/backport-CVE-2025-9086.patch
@@ -0,0 +1,56 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+
+Conflict:context adapt
+delete comment change which not exist
+cookie_path => new_path
+Reference:https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300
+---
+ lib/cookie.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 914a4aca1..b72dd99bc 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -296,7 +296,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
++  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data,
+          clist->spath && co->spath && /* both have paths */
+          clist->secure && !co->secure && !secure) {
+         size_t cllen;
+-        const char *sep;
++        const char *sep = NULL;
+ 
+         /*
+          * A non-secure cookie may not overlay an existing secure cookie.
+@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data,
+          * "/loginhelper" is ok.
+          */
+ 
+-        sep = strchr(clist->spath + 1, '/');
+-
++        DEBUGASSERT(clist->spath[0]);
++        if(clist->spath[0])
++          sep = strchr(clist->spath + 1, '/');
+         if(sep)
+           cllen = sep - clist->spath;
+         else
+-- 
+2.43.0
+
diff --git a/curl.spec b/curl.spec
index c4baf78..eb28e30 100644
--- a/curl.spec
+++ b/curl.spec
@@ -7,7 +7,7 @@
 
 Name:           curl
 Version:        8.4.0
-Release:        21
+Release:        22
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        curl
 URL:            https://curl.se/
@@ -55,6 +55,8 @@ Patch46:        backport-libssh-fix-freeing-of-resources-in-disconnect.patch
 Patch47:        backport-openssl-fix-crash-on-missing-cert-password.patch
 Patch48:        backport-curl_path-make-SFTP-handle-a-path-like-properly.patch
 Patch49:        backport-tool_getparam-clear-argument-only-when-needed.patch
+Patch50:        backport-CVE-2025-9086.patch
+Patch51:        backport-CVE-2025-10148.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -242,6 +244,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Fri Sep 12 2025 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-22
+- Type:CVE
+- CVE:CVE-2025-9086 CVE-2025-10148
+- SUG:NA
+- DESC:fix CVE-2025-9086 CVE-2025-10148
+
 * Mon Aug 18 2025 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-21
 - Type:bugfix
 - CVE:NA
-- 
Gitee