[Medium] Patch cmake for CVE-2026-4873, CVE-2026-6276, CVE-2026-6253, CVE-2026-6429, CVE-2026-5545

[jykanase]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch cmake for CVE-2026-4873, CVE-2026-6276, CVE-2026-6253, CVE-2026-6429, CVE-2026-5545
Backported Patch: yes
Patch reference:

1. https://launchpadlibrarian.net/859770351/curl_8.14.1-2ubuntu1.2_8.14.1-2ubuntu1.3.diff.gz
2. https://launchpadlibrarian.net/859770355/curl_8.5.0-2ubuntu10.8_8.5.0-2ubuntu10.9.diff.gz

Change Log

• cmake.spec
• CVE-2026-4873.patch
• CVE-2026-5545.patch
• CVE-2026-6253.patch
• CVE-2026-6276.patch
• CVE-2026-6429.patch

Does this affect the toolchain?

YES

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-4873
• https://nvd.nist.gov/vuln/detail/CVE-2026-5545
• https://nvd.nist.gov/vuln/detail/CVE-2026-6253
• https://nvd.nist.gov/vuln/detail/CVE-2026-6276
• https://nvd.nist.gov/vuln/detail/CVE-2026-6429

Test Methodology

• Local Build

• patch application during build

[Kanishk-Bansal]

Buddy Build

[mayankfz]

Full Build - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1125929&view=results
Changes look fine, buddy build passes.

[kgodara912]

Two components in full build were failing hence retriggered failed jobs. Those pipelines usually don't fail.

[kgodara912]

AI Summary:

Backport Verification — CVE Patches (curl bundled in cmake)

The cmake package bundles curl (~8.5-era). Upstream fixes target curl master which has undergone significant refactoring (e.g., ConnectionExists() was split into url_match_ssl_use(), url_match_auth_ntlm(), etc.; Curl_follow() became Curl_http_follow()). The backport patches reference Ubuntu/Canonical security diffs as the authoritative backport reference for this curl vintage.

CVE-2026-4873 — 507e7be5 url: do not reuse non-tls starttls connection

• Upstream: Uses refactored url_match_ssl_use() with BIT(req_tls) struct field
• Backport: Adapts the same check into the pre-refactor ConnectionExists() function
• Verdict: ✅ Semantically equivalent — rejects reuse of non-TLS STARTTLS connection when TLS is required

CVE-2026-5545 — 33e43985 url: improve connection reuse on negotiate

• Upstream: Adds SPNEGO state check in url_match_auth_ntlm() (http_negotiate_state == GSS_AUTHNONE)
• Backport: Identical conditional logic placed in ConnectionExists() (pre-refactor equivalent)
• Verdict: ✅ Same guard condition, different function location due to refactor

CVE-2026-6253 — 188c2f16 http: clear proxy credentials on port/scheme change

• Upstream: Extracts Curl_reset_userpwd() + Curl_reset_proxypwd() helpers, refactors Curl_pretransfer
• Backport: Identical helper functions + additional proxy hardening from the same Ubuntu security diff (cf-h1-proxy.c Content-Length/chunked reordering, error code corrections, CREDS_OPTION define)
• Verdict: ✅ Core logic matches; extra changes are from the same security context and strengthen credential handling

CVE-2026-6276 — 3a19987a urldata: move cookiehost to SingleRequest

• Upstream: Moves cookiehost from UrlState → SingleRequest struct
• Backport: Exact same transformation (data->state.aptr.cookiehost → data->req.cookiehost)
• Verdict: ✅ Direct cherry-pick — no adaptation needed for this change

CVE-2026-6429 — b4024bf808 http: clear credentials better on redirect

• Upstream: Two separate commits: 32a513e180 introduces Curl_url_same_origin() + h2 push origin check, then b4024bf808 uses it for credential clearing on redirect
• Backport: Correctly squashes both commits into one patch since the prerequisite function doesn't exist in cmake's bundled curl. Adds Curl_url_same_origin() to urlapi.c/urlapi-int.h, applies the h2 push origin check in http2.c, and uses same-origin comparison for credential clearing in transfer.c's Curl_follow()
• Verdict: ✅ Correctly combines prerequisite + fix; implementation is identical to upstream

Summary

CVE	Adaptation	Result
CVE-2026-4873	Adapted to pre-refactor ConnectionExists()	✅
CVE-2026-5545	Adapted to pre-refactor ConnectionExists()	✅
CVE-2026-6253	Includes extra proxy hardening from Ubuntu security diff	✅
CVE-2026-6276	Exact match — no adaptation needed	✅
CVE-2026-6429	Squashes prerequisite commit + fix (correct approach)	✅

All 5 patches are correct semantic backports verified against the upstream curl commits.

[kgodara912]

nit: indentation, except patch8, the others before current changes are having tabs. Please replace them with spaces.