external/curl/0001-cookie-don-t-treat-the-leading-slash-as-trailing.patch |
54 ++++++++
external/curl/0001-ws-get-a-new-mask-for-each-new-outgoing-frame.patch |
61 ++++++++++
external/curl/UnpackedTarball_curl.mk |
2
3 files changed, 117 insertions(+)
New commits:
commit 03a4361a7685ba2e104704c92ab09cc1b9cc648e
Author: Xisco Fauli <xiscofa...@libreoffice.org>
AuthorDate: Wed Sep 10 12:22:44 2025 +0200
Commit: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
CommitDate: Wed Sep 17 18:52:44 2025 +0200
curl: patch CVE-2025-9086 and CVE-2025-10148
More info in https://curl.se/docs/CVE-2025-9086.html
and https://curl.se/docs/CVE-2025-10148.html
Change-Id: Ib4993a00efdabf0baa3fe0e25c66d850f370572a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/190741
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/190751
Reviewed-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
diff --git
a/external/curl/0001-cookie-don-t-treat-the-leading-slash-as-trailing.patch
b/external/curl/0001-cookie-don-t-treat-the-leading-slash-as-trailing.patch
new file mode 100644
index 000000000000..45fba1f8af4e
--- /dev/null
+++ b/external/curl/0001-cookie-don-t-treat-the-leading-slash-as-trailing.patch
@@ -0,0 +1,54 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+---
+ lib/cookie.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 914a4aca1..b72dd99bc 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -296,9 +296,9 @@ static char *sanitize_cookie_path(const char *cookie_path)
+ /* Let cookie-path be the default-path. */
+ return strdup("/");
+
+- /* remove trailing slash */
++ /* remove trailing slash when path is non-empty */
+ /* convert /hoge/ to /hoge */
+- if(len && cookie_path[len - 1] == '/')
++ if(len > 1 && cookie_path[len - 1] == '/')
+ len--;
+
+ return Curl_memdup0(cookie_path, len);
+@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data,
+ clist->spath && co->spath && /* both have paths */
+ clist->secure && !co->secure && !secure) {
+ size_t cllen;
+- const char *sep;
++ const char *sep = NULL;
+
+ /*
+ * A non-secure cookie may not overlay an existing secure cookie.
+@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data,
+ * "/loginhelper" is ok.
+ */
+
+- sep = strchr(clist->spath + 1, '/');
+-
++ DEBUGASSERT(clist->spath[0]);
++ if(clist->spath[0])
++ sep = strchr(clist->spath + 1, '/');
+ if(sep)
+ cllen = sep - clist->spath;
+ else
+--
+2.39.5
+
diff --git
a/external/curl/0001-ws-get-a-new-mask-for-each-new-outgoing-frame.patch
b/external/curl/0001-ws-get-a-new-mask-for-each-new-outgoing-frame.patch
new file mode 100644
index 000000000000..99f497d26726
--- /dev/null
+++ b/external/curl/0001-ws-get-a-new-mask-for-each-new-outgoing-frame.patch
@@ -0,0 +1,61 @@
+From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Mon, 8 Sep 2025 14:14:15 +0200
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+
+Reported-by: Calvin Ruocco
+Closes #18496
+---
+ lib/ws.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/lib/ws.c b/lib/ws.c
+index e973409b6..3b6542816 100644
+--- a/lib/ws.c
++++ b/lib/ws.c
+@@ -875,6 +875,19 @@ static CURLcode ws_enc_add_frame(struct Curl_easy *data,
+ enc->payload_remain = enc->payload_len = payload_len;
+ ws_enc_info(enc, data, "sending");
+
++ /* 4 bytes random */
++
++ CURLcode result =
++ Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
++ if(result)
++ return result;
++
++#ifdef DEBUGBUILD
++ if(getenv("CURL_WS_FORCE_ZERO_MASK"))
++ /* force the bit mask to 0x00000000, effectively disabling masking */
++ memset(&enc->mask, 0, sizeof(enc->mask));
++#endif
++
+ /* add 4 bytes mask */
+ memcpy(&head[hlen], &enc->mask, 4);
+ hlen += 4;
+@@ -1335,21 +1347,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+ subprotocol not requested by the client), the client MUST Fail
+ the WebSocket Connection. */
+
+- /* 4 bytes random */
+-
+- result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+- sizeof(ws->enc.mask));
+- if(result)
+- return result;
+-
+-#ifdef DEBUGBUILD
+- if(getenv("CURL_WS_FORCE_ZERO_MASK"))
+- /* force the bit mask to 0x00000000, effectively disabling masking */
+- memset(ws->enc.mask, 0, sizeof(ws->enc.mask));
+-#endif
+-
+- infof(data, "[WS] Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+- ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
++ infof(data, "[WS] Received 101, switch to WebSocket");
+
+ /* Install our client writer that decodes WS frames payload */
+ result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+--
+2.39.5
+
diff --git a/external/curl/UnpackedTarball_curl.mk
b/external/curl/UnpackedTarball_curl.mk
index 53b32969cb14..d91969327808 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -23,6 +23,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-msvc-disable-protocols.patch.1 \
external/curl/zlib.patch.0 \
external/curl/configurable-z-option.patch.0 \
+
external/curl/0001-cookie-don-t-treat-the-leading-slash-as-trailing.patch \
+ external/curl/0001-ws-get-a-new-mask-for-each-new-outgoing-frame.patch \
))
ifeq ($(OS)-$(COM_IS_CLANG),WNT-TRUE)
