[MEDIUM] patch cmake for CVE-2025-4947.patch

Author: durgajagadeesh

SPECS/cmake/CVE-2025-4947.patch

@@ -0,0 +1,40 @@
+From f0b4659205da774d835434cfbf40425c25a0c813 Mon Sep 17 00:00:00 2001
+From: dj_palli <v-dpalli@microsoft.com>
+Date: Wed, 4 Jun 2025 03:37:55 +0000
+Subject: [PATCH] Address  CVE-2025-4947.patch
+
+Upstream patch URL: https://github.com/curl/curl/commit/a85f1df4803bbd272905c9e7125
+
+---
+ Utilities/cmcurl/lib/vquic/vquic-tls.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/vquic/vquic-tls.c b/Utilities/cmcurl/lib/vquic/vquic-tls.c
+index aca18b45..61cb6c51 100644
+--- a/Utilities/cmcurl/lib/vquic/vquic-tls.c
++++ b/Utilities/cmcurl/lib/vquic/vquic-tls.c
+@@ -324,15 +324,13 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx,
+ #elif defined(USE_WOLFSSL)
+   (void)data;
+   if(conn_config->verifyhost) {
+-    if(peer->sni) {
+-      WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->ssl);
+-      if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL)
+-            == WOLFSSL_FAILURE) {
+-        result = CURLE_PEER_FAILED_VERIFICATION;
+-      }
+-      wolfSSL_X509_free(cert);
++    char *snihost = peer->sni ? peer->sni : peer->hostname;
++    WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->wssl.ssl);
++    if(wolfSSL_X509_check_host(cert, snihost, strlen(snihost), 0, NULL)
++          == WOLFSSL_FAILURE) {
++      result = CURLE_PEER_FAILED_VERIFICATION;
+     }
+-
++    wolfSSL_X509_free(cert);
+   }
+ #endif
+   return result;
+-- 
+2.45.2
+

SPECS/cmake/CVE-2025-5025.patch

@@ -0,0 +1,29 @@
+From ec29fc8cabaae710f1b245ac3d1574338cb3af11 Mon Sep 17 00:00:00 2001
+From: dj_palli <v-dpalli@microsoft.com>
+Date: Wed, 4 Jun 2025 09:40:58 +0000
+Subject: [PATCH] Address CVE-2025-5025
+
+Upstream patch URL: https://github.com/curl/curl/commit/e1f65937a96a451292e92313396#diff-309f36382abf06bac78e6a359c639da0cde7bea7b3a00aaff0000103d6695c0c
+
+---
+ Utilities/cmcurl/lib/vquic/vquic-tls.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Utilities/cmcurl/lib/vquic/vquic-tls.c b/Utilities/cmcurl/lib/vquic/vquic-tls.c
+index 61cb6c51..aed9b953 100644
+--- a/Utilities/cmcurl/lib/vquic/vquic-tls.c
++++ b/Utilities/cmcurl/lib/vquic/vquic-tls.c
+@@ -331,7 +331,10 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx,
+       result = CURLE_PEER_FAILED_VERIFICATION;
+     }
+     wolfSSL_X509_free(cert);
++
+   }
++  if(!result)
++    result = Curl_wssl_verify_pinned(cf, data, &ctx->wssl);
+ #endif
+   return result;
+ }
+-- 
+2.45.2
+

SPECS/cmake/cmake.spec

@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.30.3
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -26,6 +26,10 @@ Patch7:         CVE-2023-44487.patch
 # required to determine what upstream patches are included.
 Patch8:         CVE-2023-35945.patch
 Patch9:		CVE-2024-48615.patch
+Patch10:	CVE-2025-4947.patch
+
+
+
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
 BuildRequires:  curl
@@ -105,6 +109,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_libdir}/rpm/macros.d/macros.cmake
 
 %changelog
+* Wed Jun 03 2025 Durga Jagadeesh Palli <v-dpalli@microsoft.com> - 3.30.3-7
+- Patch CVE-2025-4947
+
 * Mon Apr 07 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 3.30.3-6
 - Backport patch to fix CVE-2024-48615