fix CVE-2025-0167 CVE-2025-0725

(cherry picked from commit 3606e8000c460859267b7358f19919fd80b1ff3c)

backport-CVE-2025-0167.patch

@@ -0,0 +1,174 @@
+From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 3 Jan 2025 16:22:27 +0100
+Subject: [PATCH] netrc: 'default' with no credentials is not a match
+
+Test 486 verifies.
+
+Reported-by: Yihang Zhou
+
+Closes #15908
+
+Conflict:context adapt
+Reference:https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e
+---
+ lib/netrc.c            |  19 ++++--
+ tests/data/Makefile.inc |   2 +-
+ tests/data/test486     | 105 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 118 insertions(+), 8 deletions(-)
+ create mode 100644 tests/data/test486
+
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 7d2b903..8096b4b 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -200,13 +200,18 @@ static int parsenetrc(const char *host,
+     } /* while fgets() */
+
+     out:
+-    if(!retcode && !password && state_our_login) {
+-      /* success without a password, set a blank one */
+-      password = strdup("");
+-      if(!password)
+-        retcode = 1; /* out of memory */
+-      else
+-        password_alloc = TRUE;
++    if(!retcode) {
++      if(!password && state_our_login) {
++        /* success without a password, set a blank one */
++        password = strdup("");
++        if(!password)
++          retcode = 1; /* out of memory */
++        else
++          password_alloc = TRUE;
++      }
++      else if(!login && !password)
++        /* a default with no credentials */
++        retcode = NETRC_FILE_MISSING;
+     }
+     if(!retcode) {
+       /* success */
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 9ec101a7c74b..fc5e4cef5668 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -78,7 +78,7 @@ test426 \
+ test430 test431 test432 test433 test434 test435 test445 test446\
+ \
+ test442 test443 test444 \
+-test479 \
++test479 test486 \
+ test490 test491 test492 test493 test494 \
+ \
+ test500 test501 test502 test503 test504 test505 test506 test507 test508 \
+diff --git a/tests/data/test486 b/tests/data/test486
+new file mode 100644
+index 000000000000..53efae597a1b
+--- /dev/null
++++ b/tests/data/test486
+@@ -0,0 +1,105 @@
++<testcase>
++<info>
++<keywords>
++netrc
++HTTP
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++<data crlf="yes">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++-foo-
++</data>
++
++<data2 crlf="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</data2>
++
++<datacheck crlf="yes">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</datacheck>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<name>
++.netrc with redirect and "default" with no password or login
++</name>
++<command>
++--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
++</command>
++<file name="log/netrc%TESTNUMBER" >
++
++machine a.com
++  login alice
++  password alicespassword
++
++default
++
++</file>
++</client>
++
++<verify>
++<protocol>
++GET http://a.com/ HTTP/1.1
++Host: a.com
++Authorization: Basic %b64[alice:alicespassword]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://b.com/%TESTNUMBER0002 HTTP/1.1
++Host: b.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>

backport-CVE-2025-0725.patch

@@ -0,0 +1,326 @@
+From 76f83f0db23846e254d940ec7fe141010077eb88 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 24 Jan 2025 11:13:24 +0100
+Subject: [PATCH] content_encoding: drop support for zlib before 1.2.0.4
+
+zlib 1.2.0.4 was released on 10 August 2003
+
+Closes #16079
+
+Conflict:context adapt
+Reference:https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7
+---
+ docs/INTERNALS.md      |   2 +-
+ lib/content_encoding.c | 232 ++---------------------------------------
+ 2 files changed, 8 insertions(+), 226 deletions(-)
+
+diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md
+index 176ca52..a5b0efb 100644
+--- a/docs/INTERNALS.md
++++ b/docs/INTERNALS.md
+@@ -86,7 +86,7 @@ Dependencies
+ 
+  - OpenSSL      0.9.7
+  - GnuTLS       3.1.10
+- - zlib         1.1.4
++ - zlib         1.2.0.4
+  - libssh2      1.0
+  - c-ares       1.16.0
+  - libidn2      2.0.0
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index c870df2..74f2e68 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -52,31 +52,13 @@
+ 
+ #define DSIZ CURL_MAX_WRITE_SIZE /* buffer size for decompressed data */
+ 
+-
+ #ifdef HAVE_LIBZ
+ 
+-/* Comment this out if zlib is always going to be at least ver. 1.2.0.4
+-   (doing so will reduce code size slightly). */
+-#define OLD_ZLIB_SUPPORT 1
+-
+-#define GZIP_MAGIC_0 0x1f
+-#define GZIP_MAGIC_1 0x8b
+-
+-/* gzip flag byte */
+-#define ASCII_FLAG   0x01 /* bit 0 set: file probably ascii text */
+-#define HEAD_CRC     0x02 /* bit 1 set: header CRC present */
+-#define EXTRA_FIELD  0x04 /* bit 2 set: extra field present */
+-#define ORIG_NAME    0x08 /* bit 3 set: original file name present */
+-#define COMMENT      0x10 /* bit 4 set: file comment present */
+-#define RESERVED     0xE0 /* bits 5..7: reserved */
+-
+ typedef enum {
+   ZLIB_UNINIT,               /* uninitialized */
+   ZLIB_INIT,                 /* initialized */
+   ZLIB_INFLATING,            /* inflating started. */
+   ZLIB_EXTERNAL_TRAILER,     /* reading external trailer */
+-  ZLIB_GZIP_HEADER,          /* reading gzip header */
+-  ZLIB_GZIP_INFLATING,       /* inflating gzip stream */
+   ZLIB_INIT_GZIP             /* initialized in transparent gzip mode */
+ } zlibInitState;
+ 
+@@ -120,9 +102,6 @@ static CURLcode
+ exit_zlib(struct Curl_easy *data,
+           z_stream *z, zlibInitState *zlib_init, CURLcode result)
+ {
+-  if(*zlib_init == ZLIB_GZIP_HEADER)
+-    Curl_safefree(z->next_in);
+-
+   if(*zlib_init != ZLIB_UNINIT) {
+     if(inflateEnd(z) != Z_OK && result == CURLE_OK)
+       result = process_zlib_error(data, z);
+@@ -171,8 +150,7 @@ static CURLcode inflate_stream(struct Curl_easy *data,
+   /* Check state. */
+   if(zp->zlib_init != ZLIB_INIT &&
+      zp->zlib_init != ZLIB_INFLATING &&
+-     zp->zlib_init != ZLIB_INIT_GZIP &&
+-     zp->zlib_init != ZLIB_GZIP_INFLATING)
++     zp->zlib_init != ZLIB_INIT_GZIP)
+     return exit_zlib(data, z, &zp->zlib_init, CURLE_WRITE_ERROR);
+ 
+   /* Dynamically allocate a buffer for decompression because it's uncommonly
+@@ -321,6 +299,7 @@ static CURLcode gzip_init_writer(struct Curl_easy *data,
+ {
+   struct zlib_params *zp = (struct zlib_params *) &writer->params;
+   z_stream *z = &zp->z;     /* zlib state structure */
++  const char *v = zlibVersion();
+ 
+   if(!writer->downstream)
+     return CURLE_WRITE_ERROR;
+@@ -329,109 +308,21 @@ static CURLcode gzip_init_writer(struct Curl_easy *data,
+   z->zalloc = (alloc_func) zalloc_cb;
+   z->zfree = (free_func) zfree_cb;
+ 
+-  if(strcmp(zlibVersion(), "1.2.0.4") >= 0) {
+-    /* zlib ver. >= 1.2.0.4 supports transparent gzip decompressing */
++  if(strcmp(v, "1.2.0.4") >= 0) {
++    /* zlib version >= 1.2.0.4 supports transparent gzip decompressing */
+     if(inflateInit2(z, MAX_WBITS + 32) != Z_OK) {
+       return process_zlib_error(data, z);
+     }
+     zp->zlib_init = ZLIB_INIT_GZIP; /* Transparent gzip decompress state */
+   }
+   else {
+-    /* we must parse the gzip header and trailer ourselves */
+-    if(inflateInit2(z, -MAX_WBITS) != Z_OK) {
+-      return process_zlib_error(data, z);
+-    }
+-    zp->trailerlen = 8; /* A CRC-32 and a 32-bit input size (RFC 1952, 2.2) */
+-    zp->zlib_init = ZLIB_INIT; /* Initial call state */
++    failf(data, "too old zlib version: %s", v);
++    return CURLE_FAILED_INIT;
+   }
+ 
+   return CURLE_OK;
+ }
+ 
+-#ifdef OLD_ZLIB_SUPPORT
+-/* Skip over the gzip header */
+-static enum {
+-  GZIP_OK,
+-  GZIP_BAD,
+-  GZIP_UNDERFLOW
+-} check_gzip_header(unsigned char const *data, ssize_t len, ssize_t *headerlen)
+-{
+-  int method, flags;
+-  const ssize_t totallen = len;
+-
+-  /* The shortest header is 10 bytes */
+-  if(len < 10)
+-    return GZIP_UNDERFLOW;
+-
+-  if((data[0] != GZIP_MAGIC_0) || (data[1] != GZIP_MAGIC_1))
+-    return GZIP_BAD;
+-
+-  method = data[2];
+-  flags = data[3];
+-
+-  if(method != Z_DEFLATED || (flags & RESERVED) != 0) {
+-    /* Can't handle this compression method or unknown flag */
+-    return GZIP_BAD;
+-  }
+-
+-  /* Skip over time, xflags, OS code and all previous bytes */
+-  len -= 10;
+-  data += 10;
+-
+-  if(flags & EXTRA_FIELD) {
+-    ssize_t extra_len;
+-
+-    if(len < 2)
+-      return GZIP_UNDERFLOW;
+-
+-    extra_len = (data[1] << 8) | data[0];
+-
+-    if(len < (extra_len + 2))
+-      return GZIP_UNDERFLOW;
+-
+-    len -= (extra_len + 2);
+-    data += (extra_len + 2);
+-  }
+-
+-  if(flags & ORIG_NAME) {
+-    /* Skip over NUL-terminated file name */
+-    while(len && *data) {
+-      --len;
+-      ++data;
+-    }
+-    if(!len || *data)
+-      return GZIP_UNDERFLOW;
+-
+-    /* Skip over the NUL */
+-    --len;
+-    ++data;
+-  }
+-
+-  if(flags & COMMENT) {
+-    /* Skip over NUL-terminated comment */
+-    while(len && *data) {
+-      --len;
+-      ++data;
+-    }
+-    if(!len || *data)
+-      return GZIP_UNDERFLOW;
+-
+-    /* Skip over the NUL */
+-    --len;
+-  }
+-
+-  if(flags & HEAD_CRC) {
+-    if(len < 2)
+-      return GZIP_UNDERFLOW;
+-
+-    len -= 2;
+-  }
+-
+-  *headerlen = totallen - len;
+-  return GZIP_OK;
+-}
+-#endif
+-
+ static CURLcode gzip_unencode_write(struct Curl_easy *data,
+                                     struct contenc_writer *writer,
+                                     const char *buf, size_t nbytes)
+@@ -447,117 +338,8 @@ static CURLcode gzip_unencode_write(struct Curl_easy *data,
+     return inflate_stream(data, writer, ZLIB_INIT_GZIP);
+   }
+ 
+-#ifndef OLD_ZLIB_SUPPORT
+-  /* Support for old zlib versions is compiled away and we are running with
+-     an old version, so return an error. */
++  /* We are running with an old version: return error. */
+   return exit_zlib(data, z, &zp->zlib_init, CURLE_WRITE_ERROR);
+-
+-#else
+-  /* This next mess is to get around the potential case where there isn't
+-   * enough data passed in to skip over the gzip header.  If that happens, we
+-   * malloc a block and copy what we have then wait for the next call.  If
+-   * there still isn't enough (this is definitely a worst-case scenario), we
+-   * make the block bigger, copy the next part in and keep waiting.
+-   *
+-   * This is only required with zlib versions < 1.2.0.4 as newer versions
+-   * can handle the gzip header themselves.
+-   */
+-
+-  switch(zp->zlib_init) {
+-  /* Skip over gzip header? */
+-  case ZLIB_INIT:
+-  {
+-    /* Initial call state */
+-    ssize_t hlen;
+-
+-    switch(check_gzip_header((unsigned char *) buf, nbytes, &hlen)) {
+-    case GZIP_OK:
+-      z->next_in = (Bytef *) buf + hlen;
+-      z->avail_in = (uInt) (nbytes - hlen);
+-      zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */
+-      break;
+-
+-    case GZIP_UNDERFLOW:
+-      /* We need more data so we can find the end of the gzip header.  It's
+-       * possible that the memory block we malloc here will never be freed if
+-       * the transfer abruptly aborts after this point.  Since it's unlikely
+-       * that circumstances will be right for this code path to be followed in
+-       * the first place, and it's even more unlikely for a transfer to fail
+-       * immediately afterwards, it should seldom be a problem.
+-       */
+-      z->avail_in = (uInt) nbytes;
+-      z->next_in = malloc(z->avail_in);
+-      if(!z->next_in) {
+-        return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY);
+-      }
+-      memcpy(z->next_in, buf, z->avail_in);
+-      zp->zlib_init = ZLIB_GZIP_HEADER;  /* Need more gzip header data state */
+-      /* We don't have any data to inflate yet */
+-      return CURLE_OK;
+-
+-    case GZIP_BAD:
+-    default:
+-      return exit_zlib(data, z, &zp->zlib_init, process_zlib_error(data, z));
+-    }
+-
+-  }
+-  break;
+-
+-  case ZLIB_GZIP_HEADER:
+-  {
+-    /* Need more gzip header data state */
+-    ssize_t hlen;
+-    z->avail_in += (uInt) nbytes;
+-    z->next_in = Curl_saferealloc(z->next_in, z->avail_in);
+-    if(!z->next_in) {
+-      return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY);
+-    }
+-    /* Append the new block of data to the previous one */
+-    memcpy(z->next_in + z->avail_in - nbytes, buf, nbytes);
+-
+-    switch(check_gzip_header(z->next_in, z->avail_in, &hlen)) {
+-    case GZIP_OK:
+-      /* This is the zlib stream data */
+-      free(z->next_in);
+-      /* Don't point into the malloced block since we just freed it */
+-      z->next_in = (Bytef *) buf + hlen + nbytes - z->avail_in;
+-      z->avail_in = (uInt) (z->avail_in - hlen);
+-      zp->zlib_init = ZLIB_GZIP_INFLATING;   /* Inflating stream state */
+-      break;
+-
+-    case GZIP_UNDERFLOW:
+-      /* We still don't have any data to inflate! */
+-      return CURLE_OK;
+-
+-    case GZIP_BAD:
+-    default:
+-      return exit_zlib(data, z, &zp->zlib_init, process_zlib_error(data, z));
+-    }
+-
+-  }
+-  break;
+-
+-  case ZLIB_EXTERNAL_TRAILER:
+-    z->next_in = (Bytef *) buf;
+-    z->avail_in = (uInt) nbytes;
+-    return process_trailer(data, zp);
+-
+-  case ZLIB_GZIP_INFLATING:
+-  default:
+-    /* Inflating stream state */
+-    z->next_in = (Bytef *) buf;
+-    z->avail_in = (uInt) nbytes;
+-    break;
+-  }
+-
+-  if(z->avail_in == 0) {
+-    /* We don't have any data to inflate; wait until next time */
+-    return CURLE_OK;
+-  }
+-
+-  /* We've parsed the header, now uncompress the data */
+-  return inflate_stream(data, writer, ZLIB_GZIP_INFLATING);
+-#endif
+ }
+ 
+ static void gzip_close_writer(struct Curl_easy *data,

curl.spec

@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.79.1
-Release:        36
+Release:        37
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -111,6 +111,8 @@ Patch97:        backport-CVE-2024-9681.patch
 Patch98:        backport-multi-check-that-the-multi-handle-is-valid-in-curl_m.patch
 Patch99:        backport-cookie-treat-cookie-name-case-sensitively.patch
 Patch100:       backport-CVE-2024-11053.patch
+Patch101:       backport-CVE-2025-0167.patch
+Patch102:       backport-CVE-2025-0725.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -279,6 +281,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Sat Feb 08 2025 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-37
+- Type:CVE
+- CVE:CVE-2025-0167 CVE-2025-0725
+- SUG:NA
+- DESC:fix CVE-2025-0167 CVE-2025-0725
+
 * Fri Jan 03 2025 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-36
 - Type:CVE
 - CVE:CVE-2024-11053