| Message ID | 20260326044809.2004530-4-sudumbha@cisco.com |
|---|---|
| State | New |
| Headers | show |
| Series | [scarthgap,1/2] curl: fix CVE-2026-3783 | expand |
On Thu Mar 26, 2026 at 5:48 AM CET, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Sudhir Dumbhare <sudumbha@cisco.com> > > This patch applies the upstream fix [1] as referenced in [2] > which is mentioned in [3]: > > [1] https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877e613e62ed35bddc > [2] https://curl.se/docs/CVE-2026-3783.html > [3] https://nvd.nist.gov/vuln/detail/CVE-2026-3783 > > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > --- Hello, Sending a patch with "[PATCH 1/2]" means this is a first patch of a series of 2. I can't find the 2/2. Is it missing or the numbering of your 3 recent curl patches was somehow buggy? Regards, > .../curl/curl/CVE-2026-3783.patch | 159 ++++++++++++++++++ > meta/recipes-support/curl/curl_8.7.1.bb | 1 + > 2 files changed, 160 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783.patch b/meta/recipes-support/curl/curl/CVE-2026-3783.patch > new file mode 100644 > index 0000000000..02c2d51eb6 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2026-3783.patch > @@ -0,0 +1,159 @@ > +From 11c36846187d96ef72abc6aeb5784c002cb212fe Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Fri, 6 Mar 2026 23:13:07 +0100 > +Subject: [PATCH] http: only send bearer if auth is allowed > + > +Verify with test 2006 > + > +Closes #20843 > + > +CVE: CVE-2026-3783 > +Upstream-Status: Backport [https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877e613e62ed35bddc] > + > +Backport Changes: > +- in tests/data/Makefile.inc: added test2006 to TESTCASES, adjusted for > + this version. > + The TESTCASES in tests/data/Makefile.am was introduced curl-8_10_0 by > + this commit; > + https://github.com/curl/curl/commit/f5b826532f2c564ef240df0ba2f3287d521df711 > + > +(cherry picked from commit e3d7401a32a46516c9e5ee877e613e62ed35bddc) > +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > +--- > + lib/http.c | 1 + > + tests/data/Makefile.inc | 2 +- > + tests/data/test2006 | 98 +++++++++++++++++++++++++++++++++++++++++ > + 3 files changed, 100 insertions(+), 1 deletion(-) > + create mode 100644 tests/data/test2006 > + > +diff --git a/lib/http.c b/lib/http.c > +index a764d3c440..3ab6d21b0f 100644 > +--- a/lib/http.c > ++++ b/lib/http.c > +@@ -673,6 +673,7 @@ output_auth_headers(struct Curl_easy *data, > + if(authstatus->picked == CURLAUTH_BEARER) { > + /* Bearer */ > + if((!proxy && data->set.str[STRING_BEARER] && > ++ Curl_auth_allowed_to_host(data) && > + !Curl_checkheaders(data, STRCONST("Authorization")))) { > + auth = "Bearer"; > + result = http_output_bearer(data); > +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc > +index 4c2cd52999..9fb92742ee 100644 > +--- a/tests/data/Makefile.inc > ++++ b/tests/data/Makefile.inc > +@@ -230,7 +230,7 @@ test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 \ > + test1955 test1956 test1957 test1958 test1959 test1960 test1964 \ > + test1970 test1971 test1972 test1973 test1974 test1975 \ > + \ > +-test2000 test2001 test2002 test2003 test2004 test2005 \ > ++test2000 test2001 test2002 test2003 test2004 test2005 test2006 \ > + \ > + test2023 \ > + test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \ > +diff --git a/tests/data/test2006 b/tests/data/test2006 > +new file mode 100644 > +index 0000000000..200d30a7ce > +--- /dev/null > ++++ b/tests/data/test2006 > +@@ -0,0 +1,98 @@ > ++<?xml version="1.0" encoding="US-ASCII"?> > ++<testcase> > ++<info> > ++<keywords> > ++netrc > ++HTTP > ++</keywords> > ++</info> > ++# Server-side > ++<reply> > ++<data crlf="headers"> > ++HTTP/1.1 301 Follow this you fool > ++Date: Tue, 09 Nov 2010 14:49:00 GMT > ++Server: test-server/fake > ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT > ++ETag: "21025-dc7-39462498" > ++Accept-Ranges: bytes > ++Content-Length: 6 > ++Connection: close > ++Location: http://b.com/%TESTNUMBER0002 > ++ > ++-foo- > ++</data> > ++ > ++<data2 crlf="headers"> > ++HTTP/1.1 200 OK > ++Date: Tue, 09 Nov 2010 14:49:00 GMT > ++Server: test-server/fake > ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT > ++ETag: "21025-dc7-39462498" > ++Accept-Ranges: bytes > ++Content-Length: 7 > ++Connection: close > ++ > ++target > ++</data2> > ++ > ++<datacheck crlf="headers"> > ++HTTP/1.1 301 Follow this you fool > ++Date: Tue, 09 Nov 2010 14:49:00 GMT > ++Server: test-server/fake > ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT > ++ETag: "21025-dc7-39462498" > ++Accept-Ranges: bytes > ++Content-Length: 6 > ++Connection: close > ++Location: http://b.com/%TESTNUMBER0002 > ++ > ++HTTP/1.1 200 OK > ++Date: Tue, 09 Nov 2010 14:49:00 GMT > ++Server: test-server/fake > ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT > ++ETag: "21025-dc7-39462498" > ++Accept-Ranges: bytes > ++Content-Length: 7 > ++Connection: close > ++ > ++target > ++</datacheck> > ++</reply> > ++ > ++# Client-side > ++<client> > ++<server> > ++http > ++</server> > ++<features> > ++proxy > ++</features> > ++<name> > ++.netrc default with redirect plus oauth2-bearer > ++</name> > ++<command> > ++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER --oauth2-bearer SECRET_TOKEN -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ > ++</command> > ++<file name="%LOGDIR/netrc%TESTNUMBER" > > ++default login testuser password testpass > ++</file> > ++</client> > ++ > ++<verify> > ++<protocol crlf="headers"> > ++GET http://a.com/ HTTP/1.1 > ++Host: a.com > ++Authorization: Bearer SECRET_TOKEN > ++User-Agent: curl/%VERSION > ++Accept: */* > ++Proxy-Connection: Keep-Alive > ++ > ++GET http://b.com/%TESTNUMBER0002 HTTP/1.1 > ++Host: b.com > ++User-Agent: curl/%VERSION > ++Accept: */* > ++Proxy-Connection: Keep-Alive > ++ > ++</protocol> > ++</verify> > ++</testcase> > +-- > +2.44.1 > diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb > index e2f6f8472f..07e532721f 100644 > --- a/meta/recipes-support/curl/curl_8.7.1.bb > +++ b/meta/recipes-support/curl/curl_8.7.1.bb > @@ -34,6 +34,7 @@ SRC_URI = " \ > file://CVE-2025-15224.patch \ > file://CVE-2026-1965_p1.patch \ > file://CVE-2026-1965_p2.patch \ > + file://CVE-2026-3783.patch \ > " > > SRC_URI:append:class-nativesdk = " \
diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783.patch b/meta/recipes-support/curl/curl/CVE-2026-3783.patch new file mode 100644 index 0000000000..02c2d51eb6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-3783.patch @@ -0,0 +1,159 @@ +From 11c36846187d96ef72abc6aeb5784c002cb212fe Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 6 Mar 2026 23:13:07 +0100 +Subject: [PATCH] http: only send bearer if auth is allowed + +Verify with test 2006 + +Closes #20843 + +CVE: CVE-2026-3783 +Upstream-Status: Backport [https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877e613e62ed35bddc] + +Backport Changes: +- in tests/data/Makefile.inc: added test2006 to TESTCASES, adjusted for + this version. + The TESTCASES in tests/data/Makefile.am was introduced curl-8_10_0 by + this commit; + https://github.com/curl/curl/commit/f5b826532f2c564ef240df0ba2f3287d521df711 + +(cherry picked from commit e3d7401a32a46516c9e5ee877e613e62ed35bddc) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + lib/http.c | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test2006 | 98 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 100 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test2006 + +diff --git a/lib/http.c b/lib/http.c +index a764d3c440..3ab6d21b0f 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -673,6 +673,7 @@ output_auth_headers(struct Curl_easy *data, + if(authstatus->picked == CURLAUTH_BEARER) { + /* Bearer */ + if((!proxy && data->set.str[STRING_BEARER] && ++ Curl_auth_allowed_to_host(data) && + !Curl_checkheaders(data, STRCONST("Authorization")))) { + auth = "Bearer"; + result = http_output_bearer(data); +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 4c2cd52999..9fb92742ee 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -230,7 +230,7 @@ test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 \ + test1955 test1956 test1957 test1958 test1959 test1960 test1964 \ + test1970 test1971 test1972 test1973 test1974 test1975 \ + \ +-test2000 test2001 test2002 test2003 test2004 test2005 \ ++test2000 test2001 test2002 test2003 test2004 test2005 test2006 \ + \ + test2023 \ + test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \ +diff --git a/tests/data/test2006 b/tests/data/test2006 +new file mode 100644 +index 0000000000..200d30a7ce +--- /dev/null ++++ b/tests/data/test2006 +@@ -0,0 +1,98 @@ ++<?xml version="1.0" encoding="US-ASCII"?> ++<testcase> ++<info> ++<keywords> ++netrc ++HTTP ++</keywords> ++</info> ++# Server-side ++<reply> ++<data crlf="headers"> ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++-foo- ++</data> ++ ++<data2 crlf="headers"> ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++</data2> ++ ++<datacheck crlf="headers"> ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++</datacheck> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++<features> ++proxy ++</features> ++<name> ++.netrc default with redirect plus oauth2-bearer ++</name> ++<command> ++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER --oauth2-bearer SECRET_TOKEN -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ ++</command> ++<file name="%LOGDIR/netrc%TESTNUMBER" > ++default login testuser password testpass ++</file> ++</client> ++ ++<verify> ++<protocol crlf="headers"> ++GET http://a.com/ HTTP/1.1 ++Host: a.com ++Authorization: Bearer SECRET_TOKEN ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://b.com/%TESTNUMBER0002 HTTP/1.1 ++Host: b.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++</protocol> ++</verify> ++</testcase> +-- +2.44.1 diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index e2f6f8472f..07e532721f 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -34,6 +34,7 @@ SRC_URI = " \ file://CVE-2025-15224.patch \ file://CVE-2026-1965_p1.patch \ file://CVE-2026-1965_p2.patch \ + file://CVE-2026-3783.patch \ " SRC_URI:append:class-nativesdk = " \