mirror of
https://anongit.gentoo.org/git/repo/gentoo.git
synced 2025-12-20 00:48:23 +00:00
222904ab41See https://curl.se/mail/distros-2025-11/0000.html. This also fixes a CVE in wcurl. Bug: https://bugs.gentoo.org/966140 Signed-off-by: Sam James <sam@gentoo.org>
27 lines
838 B
Diff
27 lines
838 B
Diff
https://bugs.gentoo.org/966140
|
|
https://github.com/curl/wcurl/commit/65546bae0164a97d89d42176e366d9c7c7796261
|
|
|
|
From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001
|
|
From: Xi Ruoyao <xry111@xry111.site>
|
|
Date: Sun, 9 Nov 2025 14:30:34 +0800
|
|
Subject: [PATCH] wcurl: Really fix CVE-2025-11563
|
|
|
|
When we pass a string to is_safe_percent_encode, it always begins with
|
|
"%'. But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
|
|
nothing can be matched.
|
|
|
|
Also update the test suite to fix the false positive.
|
|
|
|
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
|
|
|
|
--- a/scripts/wcurl
|
|
+++ b/scripts/wcurl
|
|
@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\
|
|
# characters.
|
|
# 2F = /
|
|
# 5C = \
|
|
-readonly UNSAFE_PERCENT_ENCODE="2F 5C"
|
|
+readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
|
|
|
|
# Whether to invoke curl or not.
|
|
DRY_RUN="false"
|