From 75da64ec7b08a25fea03230832898ecb3813f93b Mon Sep 17 00:00:00 2001
From: sherlock2010 <15151851377@163.com>
Date: Fri, 12 Sep 2025 11:43:53 +0800
Subject: [PATCH] fix CVE-2025-9086

(cherry picked from commit e5d65b9e1a183685b85ef1d6dd07f1d71c5269a9)
---
 backport-CVE-2025-9086.patch | 56 ++++++++++++++++++++++++++++++++++++
 curl.spec                    |  9 +++++-
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-9086.patch

diff --git a/backport-CVE-2025-9086.patch b/backport-CVE-2025-9086.patch
new file mode 100644
index 0000000..00313db
--- /dev/null
+++ b/backport-CVE-2025-9086.patch
@@ -0,0 +1,56 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+
+Conflict:context adapt
+delete comment change which not exist
+cookie_path => new_path
+Reference:https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300
+---
+ lib/cookie.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 914a4aca1..b72dd99bc 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -296,7 +296,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
++  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data,
+         if(clist->spath && co->spath) {
+           if(clist->secure && !co->secure && !secure) {
+             size_t cllen;
+-            const char *sep;
++            const char *sep = NULL;
+ 
+             /*
+              * A non-secure cookie may not overlay an existing secure cookie.
+@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data,
+              * "/loginhelper" is ok.
+              */
+ 
+-            sep = strchr(clist->spath + 1, '/');
+-
++            DEBUGASSERT(clist->spath[0]);
++            if(clist->spath[0])
++              sep = strchr(clist->spath + 1, '/');
+             if(sep)
+               cllen = sep - clist->spath;
+             else
+-- 
+2.43.0
+
diff --git a/curl.spec b/curl.spec
index 66383d2..a534ca7 100644
--- a/curl.spec
+++ b/curl.spec
@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.79.1
-Release:        41
+Release:        42
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -121,6 +121,7 @@ Patch107:       backport-libssh-fix-freeing-of-resources-in-disconnect.patch
 Patch108:       backport-openssl-fix-crash-on-missing-cert-password.patch
 Patch109:       backport-curl_path-make-SFTP-handle-a-path-like-properly.patch
 Patch110:       backport-tool_getparam-clear-argument-only-when-needed.patch
+Patch111:       backport-CVE-2025-9086.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -289,6 +290,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Fri Sep 12 2025 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-42
+- Type:CVE
+- CVE:CVE-2025-9086
+- SUG:NA
+- DESC:fix CVE-2025-9086
+
 * Mon Aug 18 2025 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-41
 - Type:bugfix
 - CVE:NA
-- 
Gitee