[scarthgap,02/11] curl: fix CVE-2025-9086

Message ID	b0cc7001a628deaa96d1aebb5ded52797898a0be.1758807463.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.50, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/11] curl: fix CVE-2025-9086 Date: Thu, 25 Sep 2025 06:40:46 -0700 Message-ID: <b0cc7001a628deaa96d1aebb5ded52797898a0be.1758807463.git.steve@sakoman.com> In-Reply-To: <cover.1758807463.git.steve@sakoman.com> References: <cover.1758807463.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/11] libxslt: apply patch for CVE-2025-7424 \| expand [scarthgap,01/11] libxslt: apply patch for CVE-2025-7424 [scarthgap,02/11] curl: fix CVE-2025-9086 [scarthgap,03/11] llvm: update from 18.1.6 to 18.1.8 [scarthgap,04/11] llvm: fix build with gcc-15 [scarthgap,05/11] sanity.conf: Update minimum bitbake version to 2.8.1 [scarthgap,06/11] lib/oe/utils: use multiprocessing from bb [scarthgap,07/11] systemd: backport fix for handle USE_NLS from master [scarthgap,08/11] shared-mime-info: Handle USE_NLS [scarthgap,09/11] p11-kit: backport fix for handle USE_NLS from master [scarthgap,10/11] examples: genl: fix wrong attribute size [scarthgap,11/11] util-linux: use ${B} instead of ${WORKDIR}/build, to fix building under devtool

Message ID

b0cc7001a628deaa96d1aebb5ded52797898a0be.1758807463.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 02/11] curl: fix CVE-2025-9086
Date: Thu, 25 Sep 2025 06:40:46 -0700
Message-ID: 
 <b0cc7001a628deaa96d1aebb5ded52797898a0be.1758807463.git.steve@sakoman.com>
In-Reply-To: <cover.1758807463.git.steve@sakoman.com>
References: <cover.1758807463.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/11] libxslt: apply patch for CVE-2025-7424 | expand

Commit Message

Steve Sakoman Sept. 25, 2025, 1:40 p.m. UTC

From: Yogita Urade <yogita.urade@windriver.com>

1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086

Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2025-9086.patch             | 55 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.7.1.bb       |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-9086.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-9086.patch b/meta/recipes-support/curl/curl/CVE-2025-9086.patch
new file mode 100644
index 0000000000..c77d8fe33d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-9086.patch
@@ -0,0 +1,55 @@ 
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+
+CVE: CVE-2025-9086
+Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/cookie.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index c1ed291..67494d2 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -316,7 +316,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
++  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+
+@@ -1074,7 +1074,7 @@ Curl_cookie_add(struct Curl_easy *data,
+          clist->spath && co->spath && /* both have paths */
+          clist->secure && !co->secure && !secure) {
+         size_t cllen;
+-        const char *sep;
++        const char *sep = NULL;
+
+         /*
+          * A non-secure cookie may not overlay an existing secure cookie.
+@@ -1083,8 +1083,9 @@ Curl_cookie_add(struct Curl_easy *data,
+          * "/loginhelper" is ok.
+          */
+
+-        sep = strchr(clist->spath + 1, '/');
+-
++        DEBUGASSERT(clist->spath[0]);
++        if(clist->spath[0])
++          sep = strchr(clist->spath + 1, '/');
+         if(sep)
+           cllen = sep - clist->spath;
+         else
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 6845a43cd2..6ed3d6e84d 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -24,6 +24,7 @@  SRC_URI = " \
     file://CVE-2024-11053-0002.patch \
     file://CVE-2024-11053-0003.patch \
     file://CVE-2025-0167.patch \
+    file://CVE-2025-9086.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[scarthgap,02/11] curl: fix CVE-2025-9086

Commit Message

Patch