diff mbox series

[whinlatter,1/6] curl: patch CVE-2025-13034

Message ID 20260110173639.1643322-1-peter.marko@siemens.com
State New
Headers show
Series [whinlatter,1/6] curl: patch CVE-2025-13034 | expand

Commit Message

Peter Marko Jan. 10, 2026, 5:36 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-13034.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../curl/curl/CVE-2025-13034.patch            | 37 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-13034.patch
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-13034.patch b/meta/recipes-support/curl/curl/CVE-2025-13034.patch
new file mode 100644
index 0000000000..0c3fe42509
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-13034.patch
@@ -0,0 +1,37 @@ 
+From 3d91ca8cdb3b434226e743946d428b4dd3acf2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 14 Nov 2025 16:42:23 +0100
+Subject: [PATCH] vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
+
+Closes #19531
+
+CVE: CVE-2025-13034
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vquic/vquic-tls.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c
+index f4ef06c33b..46bb4c7d4c 100644
+--- a/lib/vquic/vquic-tls.c
++++ b/lib/vquic/vquic-tls.c
+@@ -168,13 +168,11 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx,
+   (void)conn_config;
+   result = Curl_ossl_check_peer_cert(cf, data, &ctx->ossl, peer);
+ #elif defined(USE_GNUTLS)
+-  if(conn_config->verifyhost) {
+-    result = Curl_gtls_verifyserver(cf, data, ctx->gtls.session,
+-                                    conn_config, &data->set.ssl, peer,
+-                                    data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
+-    if(result)
+-      return result;
+-  }
++  result = Curl_gtls_verifyserver(cf, data, ctx->gtls.session,
++                                  conn_config, &data->set.ssl, peer,
++                                  data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
++  if(result)
++    return result;
+ #elif defined(USE_WOLFSSL)
+   (void)data;
+   if(conn_config->verifyhost) {
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 352f407d28..edae6ebb95 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -14,6 +14,7 @@  SRC_URI = " \
     file://run-ptest \
     file://disable-tests \
     file://no-test-timeout.patch \
+    file://CVE-2025-13034.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \