[AutoPR- Security] Patch curl for CVE-2025-10148 [MEDIUM] (microsoft#14674)

Author: azurelinux-security

SPECS/curl/CVE-2025-10148.patch

@@ -0,0 +1,58 @@
+From e15280dfa9de549e64daf7336a0bd4c94e038bfe Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Sat, 13 Sep 2025 06:19:10 +0000
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa.patch
+---
+ lib/ws.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ws.c b/lib/ws.c
+index 6ccf9e6..467af41 100644
+--- a/lib/ws.c
++++ b/lib/ws.c
+@@ -615,6 +615,23 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+ 
++  /* 4 bytes random */
++  {
++    CURLcode result = Curl_rand(data, (unsigned char *)&enc->mask,
++                                sizeof(enc->mask));
++    if(result) {
++      *err = result;
++      return -1;
++    }
++  }
++
++#ifdef DEBUGBUILD
++  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
++    /* force the bit mask to 0x00000000, effectively disabling masking */
++    memset(&enc->mask, 0, sizeof(enc->mask));
++#endif
++
++
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -805,14 +822,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+ 
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-  infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
++  infof(data, "[WS] Received 101, switch to WebSocket");
+ 
+   /* Install our client writer that decodes WS frames payload */
+   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+-- 
+2.45.4
+

SPECS/curl/curl.spec

@@ -1,7 +1,7 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.8.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,7 @@ Patch1:         CVE-2024-8096.patch
 Patch2:         CVE-2024-11053.patch
 Patch3:         CVE-2024-9681.patch
 Patch4:         CVE-2025-0167.patch
+Patch5:         CVE-2025-10148.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  nghttp2-devel
@@ -90,6 +91,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Sat Sep 13 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.8.0-7
+- Patch for CVE-2025-10148
+
 * Fri Mar 28 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 8.8.0-6
 - Fix CVE-2025-0167 with an upstream patch
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.aarch64.rpm
 libssh2-devel-1.9.0-4.cm2.aarch64.rpm
 krb5-1.19.4-4.cm2.aarch64.rpm
 nghttp2-1.57.0-2.cm2.aarch64.rpm
-curl-8.8.0-6.cm2.aarch64.rpm
-curl-devel-8.8.0-6.cm2.aarch64.rpm
-curl-libs-8.8.0-6.cm2.aarch64.rpm
+curl-8.8.0-7.cm2.aarch64.rpm
+curl-devel-8.8.0-7.cm2.aarch64.rpm
+curl-libs-8.8.0-7.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 libxml2-2.10.4-8.cm2.aarch64.rpm
 libxml2-devel-2.10.4-8.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.x86_64.rpm
 libssh2-devel-1.9.0-4.cm2.x86_64.rpm
 krb5-1.19.4-4.cm2.x86_64.rpm
 nghttp2-1.57.0-2.cm2.x86_64.rpm
-curl-8.8.0-6.cm2.x86_64.rpm
-curl-devel-8.8.0-6.cm2.x86_64.rpm
-curl-libs-8.8.0-6.cm2.x86_64.rpm
+curl-8.8.0-7.cm2.x86_64.rpm
+curl-devel-8.8.0-7.cm2.x86_64.rpm
+curl-libs-8.8.0-7.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
 libxml2-2.10.4-8.cm2.x86_64.rpm
 libxml2-devel-2.10.4-8.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm
-curl-8.8.0-6.cm2.aarch64.rpm
-curl-debuginfo-8.8.0-6.cm2.aarch64.rpm
-curl-devel-8.8.0-6.cm2.aarch64.rpm
-curl-libs-8.8.0-6.cm2.aarch64.rpm
+curl-8.8.0-7.cm2.aarch64.rpm
+curl-debuginfo-8.8.0-7.cm2.aarch64.rpm
+curl-devel-8.8.0-7.cm2.aarch64.rpm
+curl-libs-8.8.0-7.cm2.aarch64.rpm
 Cython-debuginfo-0.29.33-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
 debugedit-debuginfo-5.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -49,10 +49,10 @@ createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
 cross-binutils-common-2.37-17.cm2.noarch.rpm
 cross-gcc-common-11.2.0-8.cm2.noarch.rpm
-curl-8.8.0-6.cm2.x86_64.rpm
-curl-debuginfo-8.8.0-6.cm2.x86_64.rpm
-curl-devel-8.8.0-6.cm2.x86_64.rpm
-curl-libs-8.8.0-6.cm2.x86_64.rpm
+curl-8.8.0-7.cm2.x86_64.rpm
+curl-debuginfo-8.8.0-7.cm2.x86_64.rpm
+curl-devel-8.8.0-7.cm2.x86_64.rpm
+curl-libs-8.8.0-7.cm2.x86_64.rpm
 Cython-debuginfo-0.29.33-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
 debugedit-debuginfo-5.0-2.cm2.x86_64.rpm