diff mbox series

[scarthgap,v2,1/3] curl: fix CVE-2026-1965

Message ID 20260326100000.2619253-2-sudumbha@cisco.com
State Under Review
Delegated to: Yoann Congal
Headers show
Series [scarthgap,v2,1/3] curl: fix CVE-2026-1965 | expand

Commit Message

Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) March 26, 2026, 10 a.m. UTC 
From: Sudhir Dumbhare <sudumbha@cisco.com>

Applying the fixes from upstream commit [3] and [4] cause merge conflicts
and require other dependent commits to be backported. Instead, backport
the Ubuntu-provided patches [1], which fixes the vulnerability as mentioned
in changelog [2].

[1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
    debian/patches/CVE-2026-1965-1.patch
    debian/patches/CVE-2026-1965-2.patch
[2] https://changelogs.ubuntu.com/changelogs/pool/main/c/curl/curl_8.5.0-2ubuntu10.8/changelog
[3] https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12
[4] https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-1965
https://curl.se/docs/CVE-2026-1965.html
https://ubuntu.com/security/CVE-2026-1965

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
Changes from v1 -> v2:
- Updated with the correct patch series numbering

 .../curl/curl/CVE-2026-1965_p1.patch          | 98 +++++++++++++++++++
 .../curl/curl/CVE-2026-1965_p2.patch          | 30 ++++++
 meta/recipes-support/curl/curl_8.7.1.bb       |  2 +
 3 files changed, 130 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
new file mode 100644
index 0000000000..8079b453eb
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
@@ -0,0 +1,98 @@ 
+Backport of:
+
+From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 5 Feb 2026 08:34:21 +0100
+Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
+
+Assume Negotiate means connection-based
+
+Reported-by: Zhicheng Chen
+Closes #20534
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12]
+
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 82 insertions(+), 5 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -935,6 +935,18 @@ ConnectionExists(struct Curl_easy *data,
+   bool wantProxyNTLMhttp = FALSE;
+ #endif
+ #endif
++
++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++  bool wantNegohttp =
++    (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#ifndef CURL_DISABLE_PROXY
++  bool wantProxyNegohttp =
++    needle->bits.proxy_user_passwd &&
++    (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#endif
++#endif
+   /* plain HTTP with upgrade */
+   bool h2upgrade = (data->state.httpwant == CURL_HTTP_VERSION_2_0) &&
+     (needle->handler->protocol & CURLPROTO_HTTP);
+@@ -1272,6 +1284,56 @@ ConnectionExists(struct Curl_easy *data,
+     }
+ #endif
+
++#ifdef USE_SPNEGO
++  /* If we are looking for an HTTP+Negotiate connection, check if this is
++     already authenticating with the right credentials. If not, keep looking
++     so that we can reuse Negotiate connections if possible. */
++  if(wantNegohttp) {
++    if(Curl_timestrcmp(needle->user, check->user) ||
++       Curl_timestrcmp(needle->passwd, check->passwd))
++      continue;
++  }
++  else if(check->http_negotiate_state != GSS_AUTHNONE) {
++    /* Connection is using Negotiate auth but we do not want Negotiate */
++    continue;
++  }
++
++#ifndef CURL_DISABLE_PROXY
++  /* Same for Proxy Negotiate authentication */
++  if(wantProxyNegohttp) {
++    /* Both check->http_proxy.user and check->http_proxy.passwd can be
++     * NULL */
++    if(!check->http_proxy.user || !check->http_proxy.passwd)
++      continue;
++
++    if(Curl_timestrcmp(needle->http_proxy.user,
++                       check->http_proxy.user) ||
++       Curl_timestrcmp(needle->http_proxy.passwd,
++                       check->http_proxy.passwd))
++      continue;
++  }
++  else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
++    /* Proxy connection is using Negotiate auth but we do not want Negotiate */
++    continue;
++  }
++#endif
++  if(wantNTLMhttp || wantProxyNTLMhttp) {
++    /* Credentials are already checked, we may use this connection. We MUST
++     * use a connection where it has already been fully negotiated. If it has
++     * not, we keep on looking for a better one. */
++    chosen = check;
++    if((wantNegohttp &&
++        (check->http_negotiate_state != GSS_AUTHNONE)) ||
++       (wantProxyNegohttp &&
++        (check->proxy_negotiate_state != GSS_AUTHNONE))) {
++      /* We must use this connection, no other */
++      *force_reuse = TRUE;
++      break;
++    }
++    continue; /* get another */
++  }
++#endif
++
+     if(CONN_INUSE(check)) {
+       DEBUGASSERT(canmultiplex);
+       DEBUGASSERT(check->bits.multiplex);
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
new file mode 100644
index 0000000000..1fdb658f23
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
@@ -0,0 +1,30 @@ 
+Backport of:
+
+From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 21 Feb 2026 18:11:41 +0100
+Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
+
+Follow-up to 34fa034
+Reported-by: dahmono on github
+Closes #20662
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70]
+
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1317,7 +1317,7 @@ ConnectionExists(struct Curl_easy *data,
+     continue;
+   }
+ #endif
+-  if(wantNTLMhttp || wantProxyNTLMhttp) {
++  if(wantNegohttp || wantProxyNegohttp) {
+     /* Credentials are already checked, we may use this connection. We MUST
+      * use a connection where it has already been fully negotiated. If it has
+      * not, we keep on looking for a better one. */
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 9e37684b2c..e2f6f8472f 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -32,6 +32,8 @@  SRC_URI = " \
     file://CVE-2025-14819.patch \
     file://CVE-2025-15079.patch \
     file://CVE-2025-15224.patch \
+    file://CVE-2026-1965_p1.patch \
+    file://CVE-2026-1965_p2.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \