| Message ID | 20260320075604.551251-4-vanusuri@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [kirkstone,1/4] curl: Fix CVE-2025-14524 | expand |
On Fri Mar 20, 2026 at 8:56 AM CET, Vijay Anusuri via lists.openembedded.org wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > import patch from ubuntu to fix > CVE-2026-3784 > > Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz > Upstream commit https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] > > Reference: https://curl.se/docs/CVE-2026-3784.html > https://ubuntu.com/security/CVE-2026-3784 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../curl/curl/CVE-2026-3784.patch | 74 +++++++++++++++++++ > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > 2 files changed, 75 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch b/meta/recipes-support/curl/curl/CVE-2026-3784.patch > new file mode 100644 > index 0000000000..8f3d56bab9 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch > @@ -0,0 +1,74 @@ > +Backport of: > + > +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 > +From: Stefan Eissing <stefan@eissing.org> > +Date: Fri, 6 Mar 2026 14:54:09 +0100 > +Subject: [PATCH] proxy-auth: additional tests > + > +Also eliminate the special handling for socks proxy match. > + > +Closes #20837 > + > +Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz > +Upstream commit https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] > +CVE: CVE-2026-3784 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + lib/url.c | 28 +++++++--------------------- > + tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++ > + tests/http/testenv/curl.py | 18 +++++++++++++++--- > + 3 files changed, 42 insertions(+), 24 deletions(-) > + > +--- a/lib/url.c > ++++ b/lib/url.c > +@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in > + { > + if((data->proxytype == needle->proxytype) && > + (data->port == needle->port) && > +- Curl_safe_strcasecompare(data->host.name, needle->host.name)) > +- return TRUE; > ++ curl_strequal(data->host.name, needle->host.name)) { > + > ++ if(Curl_timestrcmp(data->user, needle->user) || > ++ Curl_timestrcmp(data->passwd, needle->passwd)) > ++ return FALSE; > ++ return TRUE; > ++ } > + return FALSE; > + } > +- > +-static bool > +-socks_proxy_info_matches(const struct proxy_info *data, > +- const struct proxy_info *needle) > +-{ > +- if(!proxy_info_matches(data, needle)) > +- return FALSE; > +- > +- /* the user information is case-sensitive > +- or at least it is not defined as case-insensitive > +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ > +- > +- /* curl_strequal does a case insentive comparison, so do not use it here! */ > +- if(Curl_timestrcmp(data->user, needle->user) || > +- Curl_timestrcmp(data->passwd, needle->passwd)) > +- return FALSE; > +- return TRUE; > +-} > +-#else > +-/* disabled, won't get called */ > +-#define proxy_info_matches(x,y) FALSE > +-#define socks_proxy_info_matches(x,y) FALSE > + #endif > + > + /* A connection has to have been idle for a shorter time than 'maxage_conn' > +@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data, > + continue; > + > + if(needle->bits.socksproxy && > +- !socks_proxy_info_matches(&needle->socks_proxy, > +- &check->socks_proxy)) > ++ !proxy_info_matches(&needle->socks_proxy, > ++ &check->socks_proxy)) > + continue; > + #endif > + if(needle->bits.conn_to_host != check->bits.conn_to_host) > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb > index 8fdd954c7e..c33183e096 100644 > --- a/meta/recipes-support/curl/curl_7.82.0.bb > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > @@ -74,6 +74,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > file://CVE-2026-1965-1.patch \ > file://CVE-2026-1965-2.patch \ > file://CVE-2026-3783.patch \ > + file://CVE-2026-3784.patch \ > " > SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > Hi Vijay, This my general feedback on the whole curl patch series. I noticed quite big differences between the upstream commits you cited and the ones actually provided in this series. If these backports are from Ubuntu or Debian, please include the direct links to those commits as well. Additionally, your backport for CVE-2025-14524 ([PATCH 1/4]) differs from the one by Amaury Couderc, which has already been merged into scarthgap. Maybe it would be simplier to cherry-picked it ? One last detail regarding formatting: the last four patches include a 'Backport of' prefix in the patch header. While not strictly forbidden, this is unusual and adds unnecessary noise. Could you please remove these headers next time? Thanks. Regards,
Hi Fabien Thomas, Thanks for providing the feedback. On Fri, Mar 20, 2026 at 7:59 PM Fabien Thomas <fabien.thomas@smile.fr> wrote: > On Fri Mar 20, 2026 at 8:56 AM CET, Vijay Anusuri via > lists.openembedded.org wrote: > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > import patch from ubuntu to fix > > CVE-2026-3784 > > > > Upstream-Status: Backport [import from ubuntu > curl_7.81.0-1ubuntu1.23.debian.tar.xz > > Upstream commit > https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] > > > > Reference: https://curl.se/docs/CVE-2026-3784.html > > https://ubuntu.com/security/CVE-2026-3784 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../curl/curl/CVE-2026-3784.patch | 74 +++++++++++++++++++ > > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > > 2 files changed, 75 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch > b/meta/recipes-support/curl/curl/CVE-2026-3784.patch > > new file mode 100644 > > index 0000000000..8f3d56bab9 > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch > > @@ -0,0 +1,74 @@ > > +Backport of: > > + > > +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 > > +From: Stefan Eissing <stefan@eissing.org> > > +Date: Fri, 6 Mar 2026 14:54:09 +0100 > > +Subject: [PATCH] proxy-auth: additional tests > > + > > +Also eliminate the special handling for socks proxy match. > > + > > +Closes #20837 > > + > > +Upstream-Status: Backport [import from ubuntu > curl_7.81.0-1ubuntu1.23.debian.tar.xz > > +Upstream commit > https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] > > +CVE: CVE-2026-3784 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + lib/url.c | 28 +++++++--------------------- > > + tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++ > > + tests/http/testenv/curl.py | 18 +++++++++++++++--- > > + 3 files changed, 42 insertions(+), 24 deletions(-) > > + > > +--- a/lib/url.c > > ++++ b/lib/url.c > > +@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in > > + { > > + if((data->proxytype == needle->proxytype) && > > + (data->port == needle->port) && > > +- Curl_safe_strcasecompare(data->host.name, needle->host.name)) > > +- return TRUE; > > ++ curl_strequal(data->host.name, needle->host.name)) { > > + > > ++ if(Curl_timestrcmp(data->user, needle->user) || > > ++ Curl_timestrcmp(data->passwd, needle->passwd)) > > ++ return FALSE; > > ++ return TRUE; > > ++ } > > + return FALSE; > > + } > > +- > > +-static bool > > +-socks_proxy_info_matches(const struct proxy_info *data, > > +- const struct proxy_info *needle) > > +-{ > > +- if(!proxy_info_matches(data, needle)) > > +- return FALSE; > > +- > > +- /* the user information is case-sensitive > > +- or at least it is not defined as case-insensitive > > +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 > */ > > +- > > +- /* curl_strequal does a case insentive comparison, so do not use it > here! */ > > +- if(Curl_timestrcmp(data->user, needle->user) || > > +- Curl_timestrcmp(data->passwd, needle->passwd)) > > +- return FALSE; > > +- return TRUE; > > +-} > > +-#else > > +-/* disabled, won't get called */ > > +-#define proxy_info_matches(x,y) FALSE > > +-#define socks_proxy_info_matches(x,y) FALSE > > + #endif > > + > > + /* A connection has to have been idle for a shorter time than > 'maxage_conn' > > +@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data, > > + continue; > > + > > + if(needle->bits.socksproxy && > > +- !socks_proxy_info_matches(&needle->socks_proxy, > > +- &check->socks_proxy)) > > ++ !proxy_info_matches(&needle->socks_proxy, > > ++ &check->socks_proxy)) > > + continue; > > + #endif > > + if(needle->bits.conn_to_host != check->bits.conn_to_host) > > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb > b/meta/recipes-support/curl/curl_7.82.0.bb > > index 8fdd954c7e..c33183e096 100644 > > --- a/meta/recipes-support/curl/curl_7.82.0.bb > > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > > @@ -74,6 +74,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > > file://CVE-2026-1965-1.patch \ > > file://CVE-2026-1965-2.patch \ > > file://CVE-2026-3783.patch \ > > + file://CVE-2026-3784.patch \ > > " > > SRC_URI[sha256sum] = > "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > > > Hi Vijay, > > This my general feedback on the whole curl patch series. > > I noticed quite big differences between the upstream commits you cited and > the > ones actually provided in this series. If these backports are from Ubuntu > or Debian, please include the direct links to those commits as well. > > --> The previous Ubuntu commit link ( https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches?h=ubuntu/jammy-security) is currently not accessible. I’ve referenced the tarball version instead: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz Would it be okay if I include this download link in the patch? > Additionally, your backport for CVE-2025-14524 ([PATCH 1/4]) differs > from the one by Amaury Couderc, which has already been merged into > scarthgap. > Maybe it would be simplier to cherry-picked it ? > --> Version in kirkstone is different from scarthgap. I will try to cherry-pick and send a V2 patch. > > One last detail regarding formatting: the last four patches include > a 'Backport of' prefix in the patch header. While not strictly forbidden, > this is unusual and adds unnecessary noise. > Could you please remove these headers next time? > --> Sure. I will remove those unusual headers. > > Thanks. > > Regards, > -- > Fabien Thomas > Smile ECS > > Thanks & Regards, Vijay
diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch b/meta/recipes-support/curl/curl/CVE-2026-3784.patch new file mode 100644 index 0000000000..8f3d56bab9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch @@ -0,0 +1,74 @@ +Backport of: + +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <stefan@eissing.org> +Date: Fri, 6 Mar 2026 14:54:09 +0100 +Subject: [PATCH] proxy-auth: additional tests + +Also eliminate the special handling for socks proxy match. + +Closes #20837 + +Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz +Upstream commit https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] +CVE: CVE-2026-3784 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/url.c | 28 +++++++--------------------- + tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++ + tests/http/testenv/curl.py | 18 +++++++++++++++--- + 3 files changed, 42 insertions(+), 24 deletions(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in + { + if((data->proxytype == needle->proxytype) && + (data->port == needle->port) && +- Curl_safe_strcasecompare(data->host.name, needle->host.name)) +- return TRUE; ++ curl_strequal(data->host.name, needle->host.name)) { + ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) ++ return FALSE; ++ return TRUE; ++ } + return FALSE; + } +- +-static bool +-socks_proxy_info_matches(const struct proxy_info *data, +- const struct proxy_info *needle) +-{ +- if(!proxy_info_matches(data, needle)) +- return FALSE; +- +- /* the user information is case-sensitive +- or at least it is not defined as case-insensitive +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ +- +- /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(Curl_timestrcmp(data->user, needle->user) || +- Curl_timestrcmp(data->passwd, needle->passwd)) +- return FALSE; +- return TRUE; +-} +-#else +-/* disabled, won't get called */ +-#define proxy_info_matches(x,y) FALSE +-#define socks_proxy_info_matches(x,y) FALSE + #endif + + /* A connection has to have been idle for a shorter time than 'maxage_conn' +@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data, + continue; + + if(needle->bits.socksproxy && +- !socks_proxy_info_matches(&needle->socks_proxy, +- &check->socks_proxy)) ++ !proxy_info_matches(&needle->socks_proxy, ++ &check->socks_proxy)) + continue; + #endif + if(needle->bits.conn_to_host != check->bits.conn_to_host) diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 8fdd954c7e..c33183e096 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -74,6 +74,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2026-1965-1.patch \ file://CVE-2026-1965-2.patch \ file://CVE-2026-3783.patch \ + file://CVE-2026-3784.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"