From ab549baa1f12c6be28c5f909f79c4f4cad8bedbd Mon Sep 17 00:00:00 2001
From: Security Fix <security@community-scripts.org>
Date: Mon, 8 Jun 2026 21:10:11 +0200
Subject: [PATCH] security: Fix MITM RCE vulnerability in microcode scripts

- Changed Intel microcode download from HTTP to HTTPS
- Added --proto '=https' flag to curl to prevent protocol downgrade attacks
- Simplified output parameter from basename to direct variable reference
- Affects: tools/pve/microcode.sh (line 79) and tools/pve/pbs-microcode.sh (line 93)
- CVSS: 6.5 (Medium) - CWE-494, CWE-300, CWE-829
- Impact: Prevents network-path MITM attacks that could lead to root RCE

The AMD branch was already using HTTPS, this fix brings Intel branch
to parity and closes the vulnerability reported in security advisory.
---
 tools/pve/microcode.sh     | 2 +-
 tools/pve/pbs-microcode.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/pve/microcode.sh b/tools/pve/microcode.sh
index 7024c089e..b1b236ad5 100644
--- a/tools/pve/microcode.sh
+++ b/tools/pve/microcode.sh
@@ -76,7 +76,7 @@ intel() {
   }
 
   msg_info "Downloading the Intel Processor Microcode Package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
   msg_ok "Downloaded the Intel Processor Microcode Package $microcode"
 
   msg_info "Installing $microcode (Patience)"
diff --git a/tools/pve/pbs-microcode.sh b/tools/pve/pbs-microcode.sh
index e9cfd8bd5..0c6222899 100644
--- a/tools/pve/pbs-microcode.sh
+++ b/tools/pve/pbs-microcode.sh
@@ -90,7 +90,7 @@ intel() {
   }
 
   msg_info "Downloading Intel processor microcode package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
   msg_ok "Downloaded Intel processor microcode package $microcode"
 
   msg_info "Installing $microcode (this might take a while)"