From b4a9df6d91578389e1bb84728c1a8a3793fb660e Mon Sep 17 00:00:00 2001
From: jykanase <v-jykanase@microsoft.com>
Date: Fri, 31 Jan 2025 01:16:10 +0530
Subject: [PATCH] [Medium] patch mysql to fix CVE-2024-9681 (#12146)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
---
 SPECS/mysql/CVE-2024-9681.patch           | 64 +++++++++++++++++++++
 SPECS/mysql/mysql.spec                    |  6 +-
 SPECS/python-twisted/CVE-2023-46137.patch | 68 +++++++++++++++++++++++
 SPECS/python-twisted/python-twisted.spec  |  6 +-
 4 files changed, 142 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/mysql/CVE-2024-9681.patch
 create mode 100644 SPECS/python-twisted/CVE-2023-46137.patch

diff --git a/SPECS/mysql/CVE-2024-9681.patch b/SPECS/mysql/CVE-2024-9681.patch
new file mode 100644
index 00000000000..28c8d4fc5a6
--- /dev/null
+++ b/SPECS/mysql/CVE-2024-9681.patch
@@ -0,0 +1,64 @@
+From 2f9a68a817e71e9ec40a2fc17269eb9367aa520a Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Sun, 26 Jan 2025 14:06:42 +0000
+Subject: [PATCH] CVE-2024-9681
+
+Backported form: https://github.com/curl/curl/commit/a94973805df96269bf
+---
+ extra/curl/curl-8.9.1/lib/hsts.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/extra/curl/curl-8.9.1/lib/hsts.c b/extra/curl/curl-8.9.1/lib/hsts.c
+index 8cd77ae3..6e2599b1 100644
+--- a/extra/curl/curl-8.9.1/lib/hsts.c
++++ b/extra/curl/curl-8.9.1/lib/hsts.c
+@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;
+   if(h) {
+     char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -279,15 +281,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         if(ntail < hlen) {
+           size_t offs = hlen - ntail;
+           if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
++             strncasecompare(&hostname[offs], sts->host, ntail) &&
++             (ntail > blen)) {
++            /* save the tail match with the longest tail */
++            bestsub = sts;
++            blen = ntail;
++          }
+         }
+       }
+       if(strcasecompare(hostname, sts->host))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub;
+ }
+ 
+ /*
+@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(strcasecompare(p, e->host)) {
+       /* the same hostname, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+-- 
+2.45.2
+
diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec
index edeb96232ef..d396b739c1e 100644
--- a/SPECS/mysql/mysql.spec
+++ b/SPECS/mysql/mysql.spec
@@ -1,7 +1,7 @@
 Summary:        MySQL.
 Name:           mysql
 Version:        8.0.40
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2 with exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -15,6 +15,7 @@ Patch1:         CVE-2024-2410.patch
 # AZL's OpenSSL builds with the "no-chacha" option making all ChaCha
 # ciphers unavailable.
 Patch2:         fix-tests-for-unsupported-chacha-ciphers.patch
+Patch3:         CVE-2024-9681.patch
 BuildRequires:  cmake
 BuildRequires:  libtirpc-devel
 BuildRequires:  openssl-devel
@@ -114,6 +115,9 @@ fi
 %{_libdir}/pkgconfig/mysqlclient.pc
 
 %changelog
+* Thu Jan 30 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 8.0.40-3
+- Fix CVE-2024-9681
+
 * Tue Oct 29 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.0.40-2
 - Patched CVE-2024-2410.
 
diff --git a/SPECS/python-twisted/CVE-2023-46137.patch b/SPECS/python-twisted/CVE-2023-46137.patch
new file mode 100644
index 00000000000..f6008542b4d
--- /dev/null
+++ b/SPECS/python-twisted/CVE-2023-46137.patch
@@ -0,0 +1,68 @@
+From 0996d783f844e08fd5713ca34192e87d1fec3b77 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Mon, 3 Feb 2025 09:29:32 +0000
+Subject: [PATCH] CVE-2023-46137
+
+---
+ src/twisted/web/http.py | 32 +++++++++++++++++++++++++++-----
+ 1 file changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index b80a55a..23f8817 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -2443,14 +2443,38 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
+ 
+         self._handlingRequest = True
+ 
++        # We go into raw mode here even though we will be receiving lines next
++        # in the protocol; however, this data will be buffered and then passed
++        # back to line mode in the setLineMode call in requestDone.
++        self.setRawMode()
++
+         req = self.requests[-1]
+         req.requestReceived(command, path, version)
+ 
+-    def dataReceived(self, data):
++    def rawDataReceived(self, data: bytes) -> None:
+         """
+-        Data was received from the network.  Process it.
++        This is called when this HTTP/1.1 parser is in raw mode rather than
++        line mode.
++
++        It may be in raw mode for one of two reasons:
++
++            1. All the headers of a request have been received and this
++               L{HTTPChannel} is currently receiving its body.
++
++            2. The full content of a request has been received and is currently
++               being processed asynchronously, and this L{HTTPChannel} is
++               buffering the data of all subsequent requests to be parsed
++               later.
++
++        In the second state, the data will be played back later.
++
++        @note: This isn't really a public API, and should be invoked only by
++            L{LineReceiver}'s line parsing logic.  If you wish to drive an
++            L{HTTPChannel} from a custom data source, call C{dataReceived} on
++            it directly.
++
++        @see: L{LineReceive.rawDataReceived}
+         """
+-        # If we're currently handling a request, buffer this data.
+         if self._handlingRequest:
+             self._dataBuffer.append(data)
+             if (
+@@ -2462,9 +2486,7 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
+                 # ready.  See docstring for _optimisticEagerReadSize above.
+                 self._networkProducer.pauseProducing()
+             return
+-        return basic.LineReceiver.dataReceived(self, data)
+ 
+-    def rawDataReceived(self, data):
+         self.resetTimeout()
+ 
+         try:
+-- 
+2.45.2
+
diff --git a/SPECS/python-twisted/python-twisted.spec b/SPECS/python-twisted/python-twisted.spec
index 7c9fb8f0d07..bae9c18e89d 100644
--- a/SPECS/python-twisted/python-twisted.spec
+++ b/SPECS/python-twisted/python-twisted.spec
@@ -2,7 +2,7 @@
 Summary:        An asynchronous networking framework written in Python
 Name:           python-twisted
 Version:        22.10.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -15,6 +15,7 @@ Patch0:         disable_multicast_test.patch
 Patch1:         CVE-2024-41671.patch
 # Patch2 is required for both CVE-2024-41671 and CVE-2024-41810
 Patch2:         CVE-2024-41810.patch
+Patch3:         CVE-2023-46137.patch
 
 BuildRequires:  python3-devel
 BuildRequires:  python3-incremental
@@ -101,6 +102,9 @@ LANG=en_US.UTF-8 sudo -u test /home/test/.local/bin/tox -e nocov-posix-alldeps
 %{_bindir}/cftp3
 
 %changelog
+* Mon Feb 03 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 22.10.0-4
+- Fix CVE-2023-46137
+
 * Thu Aug 01 2024 Sindhu Karri <lakarri@microsoft.com> - 22.10.0-3
 - Fix CVE-2024-41671 and CVE-2024-41810 with a patch