[scarthgap,7/7] curl: fix CVE-2026-7168

Message ID	20260629104801.972184-7-adongare@cisco.com
State	Awaiting Upstream
Delegated to:	Yoann Congal
Headers	show Return-Path: <adongare@cisco.com> ip: 173.37.86.72, mailfrom: adongare@cisco.com) IronPort-Data: A9a23:syyuIqyTdssCWkzbkqZ6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkUCy jMWC2uOPP2NMDT2cogkb4znoU4F7ZXdmNRnHQc/+1hgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 4+aT/H3Ygf/hWYqaDJMscpvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJHsdF6o08PZRO2cUx eA2ECghVlO5mtvjldpXSsE07igiBNPgMIVavjRryivUSK52B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cPnWjOX9PYH46tO6kgX/weidVgFmUvqEwpWPUyWSd1ZCwaIOLJoPXH5w9ckCw+ UXNpnTbKB4hc5+98Wu7/E2sq9LGpHauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBVi4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rHnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:IZsahaOJTZHmOMBcThmjsMiBIKoaSvp037Dk7S9MoHtuA6ulfq +V/cjzuSWYtN9VYgBDpTniAtjlfZq/z/5ICOAqVN/INjUO+lHYSb2KhrGN/9SPIUHDH8dmpM FdmtBFeb7NJGk/q9rm6w+lFNtl6tyG/Ke0wdr69R5WPHhXg2UK1XYDNu5deXcGPDV7OQ== From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" <adongare@cisco.com> To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare <adongare@cisco.com> Subject: [OE-core] [scarthgap] [PATCH 7/7] curl: fix CVE-2026-7168 Date: Mon, 29 Jun 2026 03:47:57 -0700 Message-ID: <20260629104801.972184-7-adongare@cisco.com> In-Reply-To: <20260629104801.972184-1-adongare@cisco.com> References: <20260629104801.972184-1-adongare@cisco.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,1/7] curl: ignore CVE-2026-4873 \| expand [scarthgap,1/7] curl: ignore CVE-2026-4873 [scarthgap,2/7] curl: fix CVE-2026-5545 [scarthgap,3/7] curl: ignore CVE-2026-5773 [scarthgap,4/7] curl: fix CVE-2026-6253 [scarthgap,5/7] curl: fix CVE-2026-6276 [scarthgap,6/7] curl: fix CVE-2026-6429 [scarthgap,7/7] curl: fix CVE-2026-7168

diff --git a/meta/recipes-support/curl/curl/CVE-2026-7168.patch b/meta/recipes-support/curl/curl/CVE-2026-7168.patch new file mode 100644 index 0000000000..b3fd04a5c8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-7168.patch @@ -0,0 +1,389 @@ +From 955e8ba9821afde4a7ac22caef794dfffe5b4b5f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 5 Jun 2026 01:22:37 -0700 +Subject: [PATCH] setopt: clear proxy auth properties when switching + +Verify with test 1588 + +Closes #21453 + +CVE: CVE-2026-7168 +Upstream-Status: Backport [https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507] + +Backport Changes: +- curl-8.7.1 does not expose Curl_auth_digest_cleanup() to setopt.c in the + same way as the newer upstream tree. This backport therefore adds the + vauth/vauth.h include and the CURL_DISABLE_DIGEST_AUTH fallback macro in + lib/vauth/vauth.h before reusing the upstream setproxy() cleanup logic. +- curl-8.7.1 uses tests/data/Makefile.inc and tests/libtest/Makefile.inc + instead of the upstream Automake lists. + +(cherry picked from commit c1cfdf59acbaf9504c4578d4cf56cdd7c8594507) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + lib/setopt.c | 17 ++++- + lib/vauth/vauth.h | 2 + + tests/data/Makefile.inc | 1 + + tests/data/test1588 | 105 ++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +- + tests/libtest/lib1588.c | 147 +++++++++++++++++++++++++++++++++++++ + 6 files changed, 274 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test1588 + create mode 100644 tests/libtest/lib1588.c + +diff --git a/lib/setopt.c b/lib/setopt.c +index 8a5a5d7..3de3047 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -51,6 +51,7 @@ + #include "altsvc.h" + #include "hsts.h" + #include "tftp.h" ++#include "vauth/vauth.h" + #include "strdup.h" + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -76,6 +77,19 @@ CURLcode Curl_setstropt(char **charp, const char *s) + return CURLE_OK; + } + ++#ifndef CURL_DISABLE_PROXY ++static CURLcode setproxy(struct Curl_easy *data, const char *proxy) ++{ ++ if((data->set.str[STRING_PROXY] && proxy) && ++ !strcmp(data->set.str[STRING_PROXY], proxy)) ++ return CURLE_OK; ++ ++ Curl_auth_digest_cleanup(&data->state.proxydigest); ++ memset(&data->state.authproxy, 0, sizeof(data->state.authproxy)); ++ return Curl_setstropt(&data->set.str[STRING_PROXY], proxy); ++} ++#endif ++ + CURLcode Curl_setblobopt(struct curl_blob **blobp, + const struct curl_blob *blob) + { +@@ -1139,8 +1153,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * Setting it to NULL, means no proxy but allows the environment variables + * to decide for us (if CURLOPT_SOCKS_PROXY setting it to NULL). + */ +- result = Curl_setstropt(&data->set.str[STRING_PROXY], +- va_arg(param, char *)); ++ result = setproxy(data, va_arg(param, char *)); + break; + + case CURLOPT_PRE_PROXY: +diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h +index 9da0540..bf5c7a3 100644 +--- a/lib/vauth/vauth.h ++++ b/lib/vauth/vauth.h +@@ -119,6 +119,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, + + /* This is used to clean up the digest specific data */ + void Curl_auth_digest_cleanup(struct digestdata *digest); ++#else ++#define Curl_auth_digest_cleanup(x) + #endif /* !CURL_DISABLE_DIGEST_AUTH */ + + #ifdef USE_GSASL +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 136b961..aff6a01 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -200,6 +200,7 @@ test1540 test1541 test1542 test1543 test1544 test1545 \ + test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \ + test1558 test1559 test1560 test1561 test1562 test1563 test1564 test1565 \ + test1566 test1567 test1568 test1569 test1570 \ ++test1588 \ + \ + test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 \ + test1598 \ +diff --git a/tests/data/test1588 b/tests/data/test1588 +new file mode 100644 +index 0000000..0199fa8 +--- /dev/null ++++ b/tests/data/test1588 +@@ -0,0 +1,105 @@ ++<?xml version="1.0" encoding="US-ASCII"?> ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++HTTP proxy ++HTTP proxy Digest auth ++multi ++</keywords> ++</info> ++ ++# Server-side ++<reply> ++ ++# this is returned first since we get no proxy-auth ++<data crlf="headers"> ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++And you should ignore this data. ++</data> ++ ++# then this is returned when we get proxy-auth ++<data1000 crlf="headers"> ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++</data1000> ++ ++<datacheck crlf="headers"> ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++</datacheck> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++<tool> ++lib%TESTNUMBER ++</tool> ++<features> ++!SSPI ++crypto ++proxy ++digest ++</features> ++<name> ++HTTP proxy auth Digest, then change proxy and do it again ++</name> ++<command> ++http://test.remote.example.com/path/%TESTNUMBER %HOSTIP %HTTPPORT silly:person custom.set.host.name ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++<protocol crlf="headers"> ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a" ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a" ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++</protocol> ++</verify> ++</testcase> +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 0f140eb..21f3c44 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -62,7 +62,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect libprereq \ + lib1540 lib1541 lib1542 lib1543 lib1545 \ + lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \ + lib1558 lib1559 lib1560 lib1564 lib1565 lib1567 lib1568 lib1569 \ +- lib1591 lib1592 lib1593 lib1594 lib1596 lib1597 lib1598 \ ++ lib1588 lib1591 lib1592 lib1593 lib1594 lib1596 lib1597 lib1598 \ + \ + lib1662 \ + \ +@@ -690,6 +690,9 @@ lib2504_LDADD = $(TESTUTIL_LIBS) + lib2506_SOURCES = lib2506.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib2506_LDADD = $(TESTUTIL_LIBS) + ++lib1588_SOURCES = lib1588.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1588_LDADD = $(TESTUTIL_LIBS) ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + +diff --git a/tests/libtest/lib1588.c b/tests/libtest/lib1588.c +new file mode 100644 +index 0000000..46d6a83 +--- /dev/null ++++ b/tests/libtest/lib1588.c +@@ -0,0 +1,147 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++/* ++ * argv1 = URL ++ * argv2 = proxy host ++ * argv3 = proxy port ++ * argv4 = proxyuser:password ++ */ ++ ++#include "first.h" ++ ++static CURLcode init1588(CURL *curl, const char *url, ++ const char *userpwd, const char *proxy) ++{ ++ CURLcode result = CURLE_OK; ++ ++ res_easy_setopt(curl, CURLOPT_URL, url); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXY, proxy); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXYUSERPWD, userpwd); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_VERBOSE, 1L); ++ if(result) ++ goto init_failed; ++#if 0 ++ res_easy_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L); ++ if(result) ++ goto init_failed; ++#endif ++ ++ res_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ if(result) ++ goto init_failed; ++ ++ return CURLE_OK; /* success */ ++ ++init_failed: ++ return result; /* failure */ ++} ++ ++static CURLcode run1588(CURL *curl, const char *url, const char *userpwd, ++ const char *proxy) ++{ ++ CURLcode result = CURLE_OK; ++ ++ result = init1588(curl, url, userpwd, proxy); ++ if(result) ++ return result; ++ ++ return curl_easy_perform(curl); ++} ++ ++static CURLcode test_lib1588(const char *URL) ++{ ++ CURLcode result = CURLE_OK; ++ CURL *curl = NULL; ++ const char *proxyuserpws = libtest_arg4; ++ struct curl_slist *host = NULL; ++ struct curl_slist *host2 = NULL; ++ char proxy1_resolve[128]; ++ char proxy2_resolve[128]; ++ char proxy1_connect[128]; ++ char proxy2_connect[128]; ++ ++ if(test_argc < 3) ++ return TEST_ERR_MAJOR_BAD; ++ ++ curl_msnprintf(proxy1_resolve, sizeof(proxy1_resolve), ++ "firstproxy:%s:%s", libtest_arg3, libtest_arg2); ++ curl_msnprintf(proxy2_resolve, sizeof(proxy2_resolve), ++ "secondproxy:%s:%s", libtest_arg3, libtest_arg2); ++ ++ /* we connect to the fake host name but the right port number */ ++ curl_msnprintf(proxy1_connect, sizeof(proxy1_connect), ++ "firstproxy:%s", libtest_arg3); ++ curl_msnprintf(proxy2_connect, sizeof(proxy2_connect), ++ "secondproxy:%s", libtest_arg3); ++ ++ res_global_init(CURL_GLOBAL_ALL); ++ if(result) ++ return result; ++ ++ curl = curl_easy_init(); ++ if(!curl) { ++ curl_mfprintf(stderr, "curl_easy_init() failed\n"); ++ curl_global_cleanup(); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ host = curl_slist_append(NULL, proxy1_resolve); ++ if(!host) ++ goto test_cleanup; ++ host2 = curl_slist_append(host, proxy2_resolve); ++ if(!host2) ++ goto test_cleanup; ++ host = host2; ++ ++ start_test_timing(); ++ ++ easy_setopt(curl, CURLOPT_RESOLVE, host); ++ ++ result = run1588(curl, URL, proxyuserpws, proxy1_connect); ++ if(result) ++ goto test_cleanup; ++ ++ curl_mfprintf(stderr, "lib1588: now we do the request again\n"); ++ ++ result = run1588(curl, URL, proxyuserpws, proxy2_connect); ++ ++test_cleanup: ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ curl_slist_free_all(host); ++ return result; ++} +-- +2.43.7 diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index c338a532f9..c2c2b6bfc6 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -40,6 +40,7 @@ SRC_URI = " \ file://CVE-2026-6253.patch \ file://CVE-2026-6276.patch \ file://CVE-2026-6429.patch \ + file://CVE-2026-7168.patch \ " SRC_URI:append:class-nativesdk = " \

[scarthgap,7/7] curl: fix CVE-2026-7168

Commit Message

Patch