[kirkstone,17/26] curl: patch CVE-2025-15224

Message ID	ef970b6e7ca48412731295ff2929ba66655e8f17.1768914702.git.yoann.congal@smile.fr
State	New
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.128.47, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 17/26] curl: patch CVE-2025-15224 Date: Tue, 20 Jan 2026 14:37:39 +0100 Message-ID: <ef970b6e7ca48412731295ff2929ba66655e8f17.1768914702.git.yoann.congal@smile.fr> In-Reply-To: <cover.1768914702.git.yoann.congal@smile.fr> References: <cover.1768914702.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/26] util-linux: patch CVE-2025-14104 \| expand [kirkstone,01/26] util-linux: patch CVE-2025-14104 [kirkstone,02/26] glib-2.0: patch CVE-2025-13601 [kirkstone,03/26] glib-2.0: patch CVE-2025-14087 [kirkstone,04/26] glib-2.0: patch CVE-2025-14512 [kirkstone,05/26] qemu: ignore CVE-2025-54566 and CVE-2025-54567 [kirkstone,06/26] cups: patch CVE-2025-58436 [kirkstone,07/26] cups: patch CVE-2025-61915 [kirkstone,08/26] cups: allow unknown directives in conf files [kirkstone,09/26] dropbear: patch CVE-2019-6111 [kirkstone,10/26] python3-urllib3: patch CVE-2025-66418 [kirkstone,11/26] libpcap: patch CVE-2025-11961 [kirkstone,12/26] libpcap: patch CVE-2025-11964 [kirkstone,13/26] python3: fix CVE-2025-13836 [kirkstone,14/26] libarchive: fix CVE-2025-60753 regression [kirkstone,15/26] curl: patch CVE-2025-14017 [kirkstone,16/26] curl: patch CVE-2025-15079 [kirkstone,17/26] curl: patch CVE-2025-15224 [kirkstone,18/26] gnupg: patch CVE-2025-68973 [kirkstone,19/26] binutils: Fix CVE-2025-1181 [kirkstone,20/26] pseudo: Upgrade to version 1.9.1 [kirkstone,21/26] pseudo: 1.9.0 -> 1.9.2 [kirkstone,22/26] pseudo: Update to pull in memleak fix [kirkstone,23/26] pseudo: Add hard sstate dependencies for pseudo-native [kirkstone,24/26] pseudo: Update to pull in openat2 and efault return code changes [kirkstone,25/26] pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation' [kirkstone,26/26] oeqa: Use 2.14 release of cpio instead of 2.13

Message ID

ef970b6e7ca48412731295ff2929ba66655e8f17.1768914702.git.yoann.congal@smile.fr

State

New

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 17/26] curl: patch CVE-2025-15224
Date: Tue, 20 Jan 2026 14:37:39 +0100
Message-ID: 
 <ef970b6e7ca48412731295ff2929ba66655e8f17.1768914702.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1768914702.git.yoann.congal@smile.fr>
References: <cover.1768914702.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/26] util-linux: patch CVE-2025-14104 | expand

Commit Message

Yoann Congal Jan. 20, 2026, 1:37 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15224.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2025-15224.patch            | 31 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-15224.patch b/meta/recipes-support/curl/curl/CVE-2025-15224.patch
new file mode 100644
index 0000000000..36f5f1b93a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-15224.patch
@@ -0,0 +1,31 @@ 
+From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Mon, 29 Dec 2025 16:56:39 +0100
+Subject: [PATCH] libssh: require private key or user-agent for public key auth
+
+Closes #20110
+
+CVE: CVE-2025-15224
+Upstream-Status: Backport [https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vssh/libssh.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 5d5125b526..bde6355f73 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -741,7 +741,11 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+         }
+ 
+         sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
+-        if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
++  /* For public key auth we need either the private key or
++     CURLSSH_AUTH_AGENT. */
++  if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) &&
++    (data->set.str[STRING_SSH_PRIVATE_KEY] ||
++     (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) {
+           state(data, SSH_AUTH_PKEY_INIT);
+           infof(data, "Authentication using SSH public key file");
+         }
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 9c1a90e191..72bd1a2088 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -69,6 +69,7 @@  SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2025-9086.patch \
            file://CVE-2025-14017.patch \
            file://CVE-2025-15079.patch \
+           file://CVE-2025-15224.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"

[kirkstone,17/26] curl: patch CVE-2025-15224

Commit Message

Patch