From patchwork Sat Jan 10 17:36:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78435 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88466D277FE for ; Sat, 10 Jan 2026 17:37:25 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12769.1768066643432464529 for ; Sat, 10 Jan 2026 09:37:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=H4LqmE1J; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-20260110173721e11f7efce700020709-sjh72g@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20260110173721e11f7efce700020709 for ; Sat, 10 Jan 2026 18:37:21 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=jkZLlvf2BXove4wT3aSJz18WNqn45hu/HTrjWI0B/V8=; b=H4LqmE1J4+JYjq+Hv7d8HteX0AQQ1t9qhoxQ8YDGvyE4YGtNi925TWQFl3iE3MkKb0AZTO rpRVye4zPhj2VfFKn3phqh9PVT0FengrPgfxFmdPpL82NG/tEt2JzKT9/ETLNOd8n7N2gtLG nJSEqfGoctuSTcKid/bNVaNccab74ZCtOIF5WhOKvxC709n3YCr8NBvGao48sE9uqK98olIU v6/yn0Ezdm7zUrD0UtB1rWlxs+i9qXBwTSjVZLwmJ/na9oyoLAEZWLgNw3BrgYPTKiPLG00D ujvhg48YTbyGI7iYOCFxYuCX3YcKIXbkgeuNWuiM2FlkuebkDX/bY5Gg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 1/4] curl: patch CVE-2025-14017 Date: Sat, 10 Jan 2026 18:36:24 +0100 Message-Id: <20260110173627.1643290-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229158 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-14017.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-14017.patch | 115 ++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 116 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14017.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-14017.patch b/meta/recipes-support/curl/curl/CVE-2025-14017.patch new file mode 100644 index 00000000000..887ff2f97c5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-14017.patch @@ -0,0 +1,115 @@ +From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 4 Dec 2025 00:14:20 +0100 +Subject: [PATCH] ldap: call ldap_init() before setting the options + +Closes #19830 + +CVE: CVE-2025-14017 +Upstream-Status: Backport [https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d] +Signed-off-by: Peter Marko +--- + lib/ldap.c | 49 +++++++++++++++++++------------------------------ + 1 file changed, 19 insertions(+), 30 deletions(-) + +diff --git a/lib/ldap.c b/lib/ldap.c +index 63b2cbc414..0911a9239a 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -362,16 +362,29 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + passwd = conn->passwd; + } + ++#ifdef USE_WIN32_LDAP ++ if(ldap_ssl) ++ server = ldap_sslinit(host, conn->primary.remote_port, 1); ++ else ++#else ++ server = ldap_init(host, conn->primary.remote_port); ++#endif ++ if(!server) { ++ failf(data, "LDAP: cannot setup connect to %s:%u", ++ conn->host.dispname, conn->primary.remote_port); ++ result = CURLE_COULDNT_CONNECT; ++ goto quit; ++ } ++ + #ifdef LDAP_OPT_NETWORK_TIMEOUT +- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); ++ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); + #endif +- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); ++ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); + + if(ldap_ssl) { + #ifdef HAVE_LDAP_SSL + #ifdef USE_WIN32_LDAP + /* Win32 LDAP SDK doesn't support insecure mode without CA! */ +- server = ldap_sslinit(host, conn->primary.remote_port, 1); + ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); + #else + int ldap_option; +@@ -439,7 +452,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + goto quit; + } + infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca); +- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); ++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); + if(rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting PEM CA cert: %s", + ldap_err2string(rc)); +@@ -451,20 +464,13 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + else + ldap_option = LDAP_OPT_X_TLS_NEVER; + +- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); ++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); + if(rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting cert verify mode: %s", + ldap_err2string(rc)); + result = CURLE_SSL_CERTPROBLEM; + goto quit; + } +- server = ldap_init(host, conn->primary.remote_port); +- if(!server) { +- failf(data, "LDAP local: Cannot connect to %s:%u", +- conn->host.dispname, conn->primary.remote_port); +- result = CURLE_COULDNT_CONNECT; +- goto quit; +- } + ldap_option = LDAP_OPT_X_TLS_HARD; + rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option); + if(rc != LDAP_SUCCESS) { +@@ -473,15 +479,6 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + result = CURLE_SSL_CERTPROBLEM; + goto quit; + } +-/* +- rc = ldap_start_tls_s(server, NULL, NULL); +- if(rc != LDAP_SUCCESS) { +- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s", +- ldap_err2string(rc)); +- result = CURLE_SSL_CERTPROBLEM; +- goto quit; +- } +-*/ + #else + /* we should probably never come up to here since configure + should check in first place if we can support LDAP SSL/TLS */ +@@ -498,15 +495,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + result = CURLE_NOT_BUILT_IN; + goto quit; + } +- else { +- server = ldap_init(host, conn->primary.remote_port); +- if(!server) { +- failf(data, "LDAP local: Cannot connect to %s:%u", +- conn->host.dispname, conn->primary.remote_port); +- result = CURLE_COULDNT_CONNECT; +- goto quit; +- } +- } ++ + #ifdef USE_WIN32_LDAP + ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); + rc = ldap_win_bind(data, server, user, passwd); diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 0af6a413997..aa978f0346c 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -25,6 +25,7 @@ SRC_URI = " \ file://CVE-2024-11053-0003.patch \ file://CVE-2025-0167.patch \ file://CVE-2025-9086.patch \ + file://CVE-2025-14017.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Sat Jan 10 17:36:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78437 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AF05D1A63D for ; Sat, 10 Jan 2026 17:37:35 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12836.1768066647192394225 for ; Sat, 10 Jan 2026 09:37:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=FBCeK7Cm; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202601101737257afd64e84300020717-9hbwjy@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202601101737257afd64e84300020717 for ; Sat, 10 Jan 2026 18:37:25 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=ZpJkyZXMq4oyyUlBtnk0zEeGXXh3ZyRK736rdSlqhL4=; b=FBCeK7CmaP8LrYiV+SdZmKSpNhrUG2kChzmnjLTq1GCcuIO+XNn/roSZjZC296Q2YPoYVy fajSV9BKPjciBecS4OBAp5qKc8SDCBEDdQA+CBeydc7tMTmZC5qw/VktHwS8Dl/qJOWm900+ Lo3tNgtCulIU1a3hI4Ia8LoImO3JSBxu5YZwtpnAmHchfPPgSGJf4wbEnzwoDL7KAbunZzZD /R6KMvThQig7xMQ2qx1nvQpFrt58R9qHeIFewkm8uyuLTnbczPx0UnSLCrIYHqQuLyCFpnFi Uybqyt0WCXNClL++TGDCE0GN0fNrtt4YmwohsEeiicnNdUFTtAtiQK/Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 2/4] curl: patch CVE-2025-14819 Date: Sat, 10 Jan 2026 18:36:25 +0100 Message-Id: <20260110173627.1643290-2-peter.marko@siemens.com> In-Reply-To: <20260110173627.1643290-1-peter.marko@siemens.com> References: <20260110173627.1643290-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229159 From: Peter Marko Pick patch per [1]. Additionally pick commit with definition of CURL_UNCONST to make the cherry-pick possible without build errors. It will be probably needed also by further CVE patches. [1] https://curl.se/docs/CVE-2025-14819.html Signed-off-by: Peter Marko --- ...st-qual-fix-or-silence-compiler-warn.patch | 85 +++++++++++++++++++ .../curl/curl/CVE-2025-14819.patch | 73 ++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 2 + 3 files changed, 160 insertions(+) create mode 100644 meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14819.patch diff --git a/meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch b/meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch new file mode 100644 index 00000000000..f652456990e --- /dev/null +++ b/meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch @@ -0,0 +1,85 @@ +From 9989d5392e9e61c81fdd3e464511ddd8d73c2f87 Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Fri, 31 Jan 2025 23:20:46 +0100 +Subject: [PATCH] build: enable `-Wcast-qual`, fix or silence compiler warnings + +The issues found fell into these categories, with the applied fixes: + +- const was accidentally stripped. + Adjust code to not cast or cast with const. + +- const/volatile missing from arguments, local variables. + Constify arguments or variables, adjust/delete casts. Small code + changes in a few places. + +- const must be stripped because an API dependency requires it. + Strip `const` with `CURL_UNCONST()` macro to silence the warning out + of our control. These happen at API boundaries. Sometimes they depend + on dependency version, which this patch handles as necessary. Also + enable const support for the zlib API, using `ZLIB_CONST`. Supported + by zlib 1.2.5.2 and newer. + +- const must be stripped because a curl API requires it. + Strip `const` with `CURL_UNCONST()` macro to silence the warning out + of our immediate control. For example we promise to send a non-const + argument to a callback, though the data is const internally. + +- other cases where we may avoid const stripping by code changes. + Also silenced with `CURL_UNCONST()`. + +- there are 3 places where `CURL_UNCONST()` is cast again to const. + To silence this type of warning: + ``` + lib/vquic/curl_osslq.c:1015:29: error: to be safe all intermediate + pointers in cast from 'unsigned char **' to 'const unsigned char **' + must be 'const' qualified [-Werror=cast-qual] + lib/cf-socket.c:734:32: error: to be safe all intermediate pointers in + cast from 'char **' to 'const char **' must be 'const' qualified + [-Werror=cast-qual] + ``` + There may be a better solution, but I couldn't find it. + +These cases are handled in separate subcommits, but without further +markup. + +If you see a `-Wcast-qual` warning in curl, we appreciate your report +about it. + +Closes #16142 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/9989d5392e9e61c81fdd3e464511ddd8d73c2f87] + +Picked only header file definition, not complete code refactoring. +CURL_UNCONST will be probably needed also by further CVE patches due to this rework. + +Also later modified by removing VS2008 code per 2e1a045d8985e5daa4d9a4f908ed870a16d8e41e. + +Signed-off-by: Peter Marko +--- + lib/curl_setup_once.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/lib/curl_setup_once.h b/lib/curl_setup_once.h +index bf0ee663d3..df5b44c478 100644 +--- a/lib/curl_setup_once.h ++++ b/lib/curl_setup_once.h +@@ -69,10 +69,18 @@ + #include + #endif + +-#ifdef USE_WOLFSSL ++#if defined(HAVE_STDINT_H) || defined(USE_WOLFSSL) + #include + #endif + ++/* Macro to strip 'const' without triggering a compiler warning. ++ Use* it for APIs that do not or cannot support the const qualifier. */ ++#ifdef HAVE_STDINT_H ++# define CURL_UNCONST(p) ((void *)(uintptr_t)(const void *)(p)) ++#else ++# define CURL_UNCONST(p) ((void *)(p)) /* Fall back to simple cast */ ++#endif ++ + #ifdef USE_SCHANNEL + /* Must set this before is included directly or indirectly by + another Windows header. */ diff --git a/meta/recipes-support/curl/curl/CVE-2025-14819.patch b/meta/recipes-support/curl/curl/CVE-2025-14819.patch new file mode 100644 index 00000000000..7bed47e7b4d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-14819.patch @@ -0,0 +1,73 @@ +From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 17 Dec 2025 10:54:16 +0100 +Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a + different CA cache + +Reported-by: Stanislav Fort + +Closes #20009 + +CVE: CVE-2025-14819 +Upstream-Status: Backport [https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d] +Signed-off-by: Peter Marko +--- + lib/vtls/openssl.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index a7f169d641..7563d9a090 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -317,6 +317,7 @@ struct multi_ssl_backend_data { + char *CAfile; /* CAfile path used to generate X509 store */ + X509_STORE *store; /* cached X509 store or NULL if none */ + struct curltime time; /* when the cached store was created */ ++ BIT(no_partialchain); /* keep partial chain state */ + }; + #endif /* HAVE_SSL_X509_STORE_SHARE */ + +@@ -3378,12 +3379,16 @@ static bool cached_x509_store_expired(const struct Curl_easy *data, + + static bool cached_x509_store_different( + struct Curl_cfilter *cf, ++ const struct Curl_easy *data, + const struct multi_ssl_backend_data *mb) + { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); ++ struct ssl_config_data *ssl_config = ++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data)); ++ if(mb->no_partialchain != ssl_config->no_partialchain) ++ return TRUE; + if(!mb->CAfile || !conn_config->CAfile) + return mb->CAfile != conn_config->CAfile; +- + return strcmp(mb->CAfile, conn_config->CAfile); + } + +@@ -3398,7 +3403,7 @@ static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf, + multi->ssl_backend_data && + multi->ssl_backend_data->store && + !cached_x509_store_expired(data, multi->ssl_backend_data) && +- !cached_x509_store_different(cf, multi->ssl_backend_data)) { ++ !cached_x509_store_different(cf, data, multi->ssl_backend_data)) { + store = multi->ssl_backend_data->store; + } + +@@ -3427,6 +3432,8 @@ static void set_cached_x509_store(struct Curl_cfilter *cf, + + if(X509_STORE_up_ref(store)) { + char *CAfile = NULL; ++ struct ssl_config_data *ssl_config = ++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data)); + + if(conn_config->CAfile) { + CAfile = strdup(conn_config->CAfile); +@@ -3444,6 +3451,7 @@ static void set_cached_x509_store(struct Curl_cfilter *cf, + mbackend->time = Curl_now(); + mbackend->store = store; + mbackend->CAfile = CAfile; ++ mbackend->no_partialchain = ssl_config->no_partialchain; + } + } + diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index aa978f0346c..3134846e57c 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -26,6 +26,8 @@ SRC_URI = " \ file://CVE-2025-0167.patch \ file://CVE-2025-9086.patch \ file://CVE-2025-14017.patch \ + file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \ + file://CVE-2025-14819.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Sat Jan 10 17:36:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78438 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FCAFD277F1 for ; Sat, 10 Jan 2026 17:37:35 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12774.1768066650610851911 for ; Sat, 10 Jan 2026 09:37:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=TubP/0nw; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-20260110173729f65ba0fa5e0002075f-kvrsaw@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20260110173729f65ba0fa5e0002075f for ; Sat, 10 Jan 2026 18:37:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=iksBmNjvpYgemXH9P96sUmOAYw/1qzVUKtwtXRRAD1Q=; b=TubP/0nweZ+s/d0j3Zilj4aZE4kFBi5exnd62GqY+oqlgKwKQ0SyyGYhJbvPIRRnStLILR h6ziZwEjt2+YO5qiqMkdOCSmOSOD+lrsfipLWKENNKZwQMdSxV7YOTDApQFx01Xh/Y8T2dYl tUs4gJeNUwUQE89U4Mi/qxVtVYreYwwgY1f79CJ/e0KpxVY6bOquLgOfKsgR535Ovjw2K8l/ KJosNekNNAEy8JOyL+j05F0Am4u+yaEy4eaY180vkotejm8OCdRfzx82G/ZdpS+VSd2E0fj5 Wrzaxlh9/3bonh46ETNebTiMw5/g7QfIxNneClQ8lh+12A5RsN2YEXug==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 3/4] curl: patch CVE-2025-15079 Date: Sat, 10 Jan 2026 18:36:26 +0100 Message-Id: <20260110173627.1643290-3-peter.marko@siemens.com> In-Reply-To: <20260110173627.1643290-1-peter.marko@siemens.com> References: <20260110173627.1643290-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229160 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-15079.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-15079.patch | 32 +++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15079.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-15079.patch b/meta/recipes-support/curl/curl/CVE-2025-15079.patch new file mode 100644 index 00000000000..47fa518309f --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-15079.patch @@ -0,0 +1,32 @@ +From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 24 Dec 2025 17:47:03 +0100 +Subject: [PATCH] libssh: set both knownhosts options to the same file + +Reported-by: Harry Sintonen + +Closes #20092 + +CVE: CVE-2025-15079 +Upstream-Status: Backport [https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479] +Signed-off-by: Peter Marko +--- + lib/vssh/libssh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 7d5905c83d..98c109ab59 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -2224,6 +2224,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done) + infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]); + rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_KNOWNHOSTS, + data->set.str[STRING_SSH_KNOWNHOSTS]); ++ if(rc == SSH_OK) ++ /* libssh has two separate options for this. Set both to the same file ++ to avoid surprises */ ++ rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS, ++ data->set.str[STRING_SSH_KNOWNHOSTS]); + if(rc != SSH_OK) { + failf(data, "Could not set known hosts file path"); + return CURLE_FAILED_INIT; diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 3134846e57c..85b91ef9582 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -28,6 +28,7 @@ SRC_URI = " \ file://CVE-2025-14017.patch \ file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \ file://CVE-2025-14819.patch \ + file://CVE-2025-15079.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Sat Jan 10 17:36:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78436 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 833E3D277FE for ; Sat, 10 Jan 2026 17:37:35 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12839.1768066654477478283 for ; Sat, 10 Jan 2026 09:37:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=XCXKlmz2; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-2026011017373252942fa44900020719-irj9cr@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2026011017373252942fa44900020719 for ; Sat, 10 Jan 2026 18:37:32 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=H21TxdATjQdHcj9uA6sHKD+zgpwFg0QaWBWfJGhQtr0=; b=XCXKlmz2eTJl/ivp71VwCBFescWgS182M4Bk+sRR+CjiqTo6GQ15RrVwUf1f+MQx523Pxm N55fDvZh0PwjFFKw3kBmdKxBl611j37Zbnoi1d91UeYH06TJMxgBRdmI5OEMQ3lToq7CrGhf IdaA7ies9NOTzc0HR49y/s8QUspxblCm0eBIX9FTk3C7Mb6ihIgvFDFLPxIADN2gfHPsONxi bTr3PdFi6TB16Ji9EcHIe0VRM7gjsqGSZQHsSsB+aQUkhLzM84KJYSdV26eRDli7E2RotyvH U+iVdXwHLZes8jqVz6rzYKFC1Q0gDYMh4xbQHqU2jM5un7SqT/w7c4dw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 4/4] curl: patch CVE-2025-15224 Date: Sat, 10 Jan 2026 18:36:27 +0100 Message-Id: <20260110173627.1643290-4-peter.marko@siemens.com> In-Reply-To: <20260110173627.1643290-1-peter.marko@siemens.com> References: <20260110173627.1643290-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229161 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-15224.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-15224.patch | 31 +++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-15224.patch b/meta/recipes-support/curl/curl/CVE-2025-15224.patch new file mode 100644 index 00000000000..dc07f921006 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-15224.patch @@ -0,0 +1,31 @@ +From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Mon, 29 Dec 2025 16:56:39 +0100 +Subject: [PATCH] libssh: require private key or user-agent for public key auth + +Closes #20110 + +CVE: CVE-2025-15224 +Upstream-Status: Backport [https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa] +Signed-off-by: Peter Marko +--- + lib/vssh/libssh.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 5d5125b526..bde6355f73 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -751,7 +751,11 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + "keyboard-interactive, " : "", + sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ? + "password": ""); +- if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { ++ /* For public key auth we need either the private key or ++ CURLSSH_AUTH_AGENT. */ ++ if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) && ++ (data->set.str[STRING_SSH_PRIVATE_KEY] || ++ (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) { + state(data, SSH_AUTH_PKEY_INIT); + infof(data, "Authentication using SSH public key file"); + } diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 85b91ef9582..ecda13a04e1 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -29,6 +29,7 @@ SRC_URI = " \ file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \ file://CVE-2025-14819.patch \ file://CVE-2025-15079.patch \ + file://CVE-2025-15224.patch \ " SRC_URI:append:class-nativesdk = " \