From patchwork Mon Apr 6 13:21:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 85325 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F11BDE9D830 for ; Mon, 6 Apr 2026 13:21:46 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.54737.1775481704448655003 for ; Mon, 06 Apr 2026 06:21:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=CoiykY6U; spf=pass (domain: mvista.com, ip: 209.85.216.50, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-35c206f0481so3780771a91.0 for ; Mon, 06 Apr 2026 06:21:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1775481703; x=1776086503; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=bnkNKIoHGVvqy4PbXX78NKdkhVtU7F3WIy47iJXNI9I=; b=CoiykY6UKrkR/kY0iFDvHgC+VDu/Rxfxyhfqz8i/mj6PUleJZ0NIPEOs9oX2T6wFBY xbo1cIaTgJxFf+Uw1CetLOOlWL5kbiyb8Nck9UC1gY/EM/X2Q0qnJkl8yV0sx4evqx4Q UPW0AMcTCLS1wnrUmHhyrR4kMcSDEYHUlEjjw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775481703; x=1776086503; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=bnkNKIoHGVvqy4PbXX78NKdkhVtU7F3WIy47iJXNI9I=; b=RjrX1cwltsJKPZXLhnanMF5Ps7sx1/oBIV2ojvgadA997tdti0d97iOtM/lwl5XcKx h1/5JWRdJCHgQ+hTKylw44q8BmdylCsC3w8OE07jubQndk9fSTh615CSNy0e/nbBzNyf tJpp0iLwKeZyQqd+0DKDm3ZI/29O2BrC6Wmr0BHNCaqz4lhJ0RG1TPX8IyIHMmwuIopw vkMWjJuTzF834xDtmGYOVgKL51lxyUeLKbnj5IyyqwUes5J24S1ryJUQujk1fBnmhR49 3sJMZfB//2rOMCmJaAqy+wrkItuskfOR4v08n9GVg9PuL6PdC7cYkEO6cpJwdXeeYkgS 1pSQ== X-Gm-Message-State: AOJu0YxUUlHVgwwqYlbtpkAd4XwNnYHIs/bnE7IfA/kdKCcO1Nm/K3Bh PQGyCM1MLDYYG5av/smlYVyEykU809EcQhgPoL3sCXLRgcv6gLEofj3QzmnHMhAgk92ei/BF/2W 7yShJQ4o= X-Gm-Gg: AeBDieu8P+vgAg/O0Nk0LLyG9zmJe8Hry1VMejLdNA1/Tx8jR5yntdPkTBsSNa2UiU+ lU7Eoe3ea2cm+nnuApvPEnLKT3XGH0Q5P4o/019Onub1lwrXhNVqR4oD8qjq2oa8tWT+kgGQ/ep BVP9XkcLB0dEMnCUm7gLMu1DxiqP037J7Vx4RiOzyFvHkTCIubMOQq1UwHftQ00bPsCBRMVrf5a svEuc6zfwa1yy9/HphXDl3DVIx13zlVaWhOxk/PygMSo1ivXYBwMpeFdG1gGTmGKaNnC3dCjkyb quWtxLBgPT/aFfCDKWuKhIWnVd+rTXV5Gqx9BajAfRrrKcDSAoNXlcpT7Ww6IdydTqln3kRyUFi AoIkvnMUitA3lrfzU3MDdsRuitEgZLo2w5dRrihPsFnOOabIghZaG7mmD/EaCIvQK4ymDmSxcGs YKGFA01aly89F6ZP/2dTDPhn1KaOXQQrP+NCF/poE= X-Received: by 2002:a17:90b:2885:b0:35d:974d:8f7 with SMTP id 98e67ed59e1d1-35de679c8ecmr11213151a91.1.1775481703313; Mon, 06 Apr 2026 06:21:43 -0700 (PDT) Received: from MVIN00352.mvista.com ([2401:4900:1f28:2171:fb10:85f3:b262:eebf]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35dd35f50e9sm13848829a91.6.2026.04.06.06.21.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 06:21:42 -0700 (PDT) From: Vijay Anusuri To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][patch 1/3] curl: patch CVE-2026-1965 Date: Mon, 6 Apr 2026 18:51:27 +0530 Message-ID: <20260406132129.440817-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Apr 2026 13:21:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234679 pick patches from ubuntu per [1] [1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz [2] https://ubuntu.com/security/CVE-2026-1965 [3] https://curl.se/docs/CVE-2026-1965.html Signed-off-by: Vijay Anusuri --- .../curl/curl/CVE-2026-1965-1.patch | 102 ++++++++++++++++++ .../curl/curl/CVE-2026-1965-2.patch | 34 ++++++ meta/recipes-support/curl/curl_8.7.1.bb | 2 + 3 files changed, 138 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-2.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch new file mode 100644 index 0000000000..acc8bfe044 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch @@ -0,0 +1,102 @@ +From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 5 Feb 2026 08:34:21 +0100 +Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate + +Assume Negotiate means connection-based + +Reported-by: Zhicheng Chen +Closes #20534 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd6] +Backported by Ubuntu team http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz + +CVE: CVE-2026-1965 +Signed-off-by: Vijay Anusuri +--- + lib/url.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 62 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 1439c9e..792c422 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -936,6 +936,18 @@ ConnectionExists(struct Curl_easy *data, + #else + bool wantProxyNTLMhttp = FALSE; + #endif ++#endif ++ ++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) ++ bool wantNegohttp = ++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP); ++#ifndef CURL_DISABLE_PROXY ++ bool wantProxyNegohttp = ++ needle->bits.proxy_user_passwd && ++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP); ++#endif + #endif + /* plain HTTP with upgrade */ + bool h2upgrade = (data->state.httpwant == CURL_HTTP_VERSION_2_0) && +@@ -1274,6 +1286,56 @@ ConnectionExists(struct Curl_easy *data, + } + #endif + ++#ifdef USE_SPNEGO ++ /* If we are looking for an HTTP+Negotiate connection, check if this is ++ already authenticating with the right credentials. If not, keep looking ++ so that we can reuse Negotiate connections if possible. */ ++ if(wantNegohttp) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd)) ++ continue; ++ } ++ else if(check->http_negotiate_state != GSS_AUTHNONE) { ++ /* Connection is using Negotiate auth but we do not want Negotiate */ ++ continue; ++ } ++ ++#ifndef CURL_DISABLE_PROXY ++ /* Same for Proxy Negotiate authentication */ ++ if(wantProxyNegohttp) { ++ /* Both check->http_proxy.user and check->http_proxy.passwd can be ++ * NULL */ ++ if(!check->http_proxy.user || !check->http_proxy.passwd) ++ continue; ++ ++ if(Curl_timestrcmp(needle->http_proxy.user, ++ check->http_proxy.user) || ++ Curl_timestrcmp(needle->http_proxy.passwd, ++ check->http_proxy.passwd)) ++ continue; ++ } ++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) { ++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */ ++ continue; ++ } ++#endif ++ if(wantNTLMhttp || wantProxyNTLMhttp) { ++ /* Credentials are already checked, we may use this connection. We MUST ++ * use a connection where it has already been fully negotiated. If it has ++ * not, we keep on looking for a better one. */ ++ chosen = check; ++ if((wantNegohttp && ++ (check->http_negotiate_state != GSS_AUTHNONE)) || ++ (wantProxyNegohttp && ++ (check->proxy_negotiate_state != GSS_AUTHNONE))) { ++ /* We must use this connection, no other */ ++ *force_reuse = TRUE; ++ break; ++ } ++ continue; /* get another */ ++ } ++#endif ++ + if(CONN_INUSE(check)) { + DEBUGASSERT(canmultiplex); + DEBUGASSERT(check->bits.multiplex); +-- +2.43.0 + diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch new file mode 100644 index 0000000000..07dbf4e973 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch @@ -0,0 +1,34 @@ +From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 21 Feb 2026 18:11:41 +0100 +Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake + +Follow-up to 34fa034 +Reported-by: dahmono on github +Closes #20662 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990] +Backported by Ubuntu team http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz + +CVE: CVE-2026-1965 +Signed-off-by: Vijay Anusuri +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 792c422..22ed0be 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1319,7 +1319,7 @@ ConnectionExists(struct Curl_easy *data, + continue; + } + #endif +- if(wantNTLMhttp || wantProxyNTLMhttp) { ++ if(wantNegohttp || wantProxyNegohttp) { + /* Credentials are already checked, we may use this connection. We MUST + * use a connection where it has already been fully negotiated. If it has + * not, we keep on looking for a better one. */ +-- +2.43.0 + diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 9e37684b2c..0b4c93ec66 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -32,6 +32,8 @@ SRC_URI = " \ file://CVE-2025-14819.patch \ file://CVE-2025-15079.patch \ file://CVE-2025-15224.patch \ + file://CVE-2026-1965-1.patch \ + file://CVE-2026-1965-2.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Mon Apr 6 13:21:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 85327 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2930E9D836 for ; Mon, 6 Apr 2026 13:21:56 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.54806.1775481709240622005 for ; Mon, 06 Apr 2026 06:21:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=M2SRWOxY; spf=pass (domain: mvista.com, ip: 209.85.216.46, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-35d8e548a05so4374355a91.1 for ; Mon, 06 Apr 2026 06:21:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1775481708; x=1776086508; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eWYeXKuo0OXGZQsyf7T/AYaJVTmxSmI33mySe0ynpc4=; b=M2SRWOxYIM31NkXzjmnkvnJaw3hf0jNjGb0nnuqN8tjjH89kIJ7gd8hBrEd7WmhpLQ dIddKCdCrz5A86LFyKKAdBYmrxAzxt2U5WvDj0HuM1zhsFISW+tdQvSjofTzdGLfcpQ4 KMm3eMmixG+bmfc9aRQCgkg7I5grYrV85GP2Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775481708; x=1776086508; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=eWYeXKuo0OXGZQsyf7T/AYaJVTmxSmI33mySe0ynpc4=; b=o13Hy8s7kbcIrSerU92i0dM8Ikh3qIadcCUFrqMGXRtqR9xVKY9lZ/uHkVJr2AnQaz V6JWUDVQSN+SF/2f6eu4xdTatjKToii8xJsZ/SzzKJt+Oli0XktfzE4TIXexg8myxTfp VJUncDav6t56wgfHOZNynrpyE+E0fAm+iC0u1TrhjLeqBaBlyFQRIWf2Ao8sa2qLTgNf 8BqI9UStXltBE7L9c5rwTWE0j/f9fNxTGoSfBExgoLRO7ayvCFOJ2B3Xmpsj0vPw9xEu 1LytyRXfFGNw5ZuXdxxc8rpEIvym/G2UdWEMAk/V2xQAk28QRM8//dE2vzmFbG/qZ4zH JWWQ== X-Gm-Message-State: AOJu0YwfGNLUJL5OUx+RnOUNwfV+liQa0S/zyEQoYBrMxgkQWAOwK+ra f1kKgOmm3c623W5Qaubgb5aTyqY+tAnjKacZoP0V7G3JkAjyTH4yjZaqPjsNww3OnfAyJ1O64vi hSPplcwc= X-Gm-Gg: AeBDieuu6fMKy+INpIqakhK+r1Me7wpJZE2B2lOEvTW6zu7eb7sFe8qS8lFvCc/+SnX Tr77kXmTJy+G63ptexAFIZTAZX4WxwT06yLR/WkphE+7SwesKlOJpzERBBB5mZY4N92qNNxsUHH SZqmNf4NpBSZc3f5Qw052EoGFk36yOSP6H25JZ9eZdEmmyTZQHc/1w//6QaLor1Y9CLTibFsOaK 6u/Yf3nf7Sxjh33lUXbfNlA3uUUIgXNbnmGjrM98uWknf+GOLHDIApFtrsStj6pcIh+8yI+X+7n X1HLP9uXqkapYrXebjZ+rHuWadP0QR4aniO+2GMxSqMhzd0IL3AAoQ3watFllGvJ9QUqikfit2Q cFteXX5zrfLPA41Vhy2hcsyauj4AwWSHfM1+hhNe5m/TKZWBfoF05B2z7xkcyo7M+EqusiE0CO8 tvPlOY8kyHpOmdZQLJxivIjpZo0ZCuj5E1/QFBbs8= X-Received: by 2002:a17:90b:38ce:b0:35d:a557:e44 with SMTP id 98e67ed59e1d1-35de678fc34mr11742564a91.6.1775481708065; Mon, 06 Apr 2026 06:21:48 -0700 (PDT) Received: from MVIN00352.mvista.com ([2401:4900:1f28:2171:fb10:85f3:b262:eebf]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35dd35f50e9sm13848829a91.6.2026.04.06.06.21.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 06:21:47 -0700 (PDT) From: Vijay Anusuri To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][patch 2/3] curl: patch CVE-2026-3783 Date: Mon, 6 Apr 2026 18:51:28 +0530 Message-ID: <20260406132129.440817-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260406132129.440817-1-vanusuri@mvista.com> References: <20260406132129.440817-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Apr 2026 13:21:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234680 pick patches from ubuntu per [1] [1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz [2] https://ubuntu.com/security/CVE-2026-3783 [3] https://curl.se/docs/CVE-2026-3783.html Signed-off-by: Vijay Anusuri --- .../curl/curl/CVE-2026-3783.patch | 153 ++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 154 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783.patch b/meta/recipes-support/curl/curl/CVE-2026-3783.patch new file mode 100644 index 0000000000..609b519ddb --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-3783.patch @@ -0,0 +1,153 @@ +From e3d7401a32a46516c9e5ee877e613e62ed35bddc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 6 Mar 2026 23:13:07 +0100 +Subject: [PATCH] http: only send bearer if auth is allowed + +Verify with test 2006 + +Closes #20843 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877] +Backported by Ubuntu team http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz + +CVE: CVE-2026-3783 +Signed-off-by: Vijay Anusuri +--- + lib/http.c | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test2006 | 98 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 100 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test2006 + +diff --git a/lib/http.c b/lib/http.c +index a764d3c..b80bebf 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -673,6 +673,7 @@ output_auth_headers(struct Curl_easy *data, + if(authstatus->picked == CURLAUTH_BEARER) { + /* Bearer */ + if((!proxy && data->set.str[STRING_BEARER] && ++ Curl_auth_allowed_to_host(data) && + !Curl_checkheaders(data, STRCONST("Authorization")))) { + auth = "Bearer"; + result = http_output_bearer(data); +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 4c2cd52..9fb9274 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -230,7 +230,7 @@ test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 \ + test1955 test1956 test1957 test1958 test1959 test1960 test1964 \ + test1970 test1971 test1972 test1973 test1974 test1975 \ + \ +-test2000 test2001 test2002 test2003 test2004 test2005 \ ++test2000 test2001 test2002 test2003 test2004 test2005 test2006 \ + \ + test2023 \ + test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \ +diff --git a/tests/data/test2006 b/tests/data/test2006 +new file mode 100644 +index 0000000..4b8b269 +--- /dev/null ++++ b/tests/data/test2006 +@@ -0,0 +1,98 @@ ++ ++ ++ ++ ++netrc ++HTTP ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++-foo- ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++proxy ++ ++ ++.netrc default with redirect plus oauth2-bearer ++ ++ ++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER --oauth2-bearer SECRET_TOKEN -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ ++ ++ ++default login testuser password testpass ++ ++ ++ ++ ++ ++GET http://a.com/ HTTP/1.1 ++Host: a.com ++Authorization: Bearer SECRET_TOKEN ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://b.com/%TESTNUMBER0002 HTTP/1.1 ++Host: b.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.43.0 + diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 0b4c93ec66..ff4524e1bd 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -34,6 +34,7 @@ SRC_URI = " \ file://CVE-2025-15224.patch \ file://CVE-2026-1965-1.patch \ file://CVE-2026-1965-2.patch \ + file://CVE-2026-3783.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Mon Apr 6 13:21:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 85326 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D38D0E9D834 for ; Mon, 6 Apr 2026 13:21:56 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.54744.1775481713534951941 for ; Mon, 06 Apr 2026 06:21:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=aG5xcN71; spf=pass (domain: mvista.com, ip: 209.85.216.50, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-35da9c0c007so3679525a91.2 for ; Mon, 06 Apr 2026 06:21:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1775481712; x=1776086512; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iCFamo/p8PyQyN/CjAf01Vmi2/FNRteDRGnF88EQD0M=; b=aG5xcN71X4xvIWk921/o4hXqnbyc4jGdngFxuQMo40cFNgeqFrCRMgJZExbnRx6bnc uZnnoGmW3T/tjptrCWxV4elb20YrF32Y6j6U24RXym+qIMAJ73lWIjVyMOnbYucwPa1h /kwsT7O/xhqWmnUfhBOulLNjl+FEGwmpOim84= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775481712; x=1776086512; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iCFamo/p8PyQyN/CjAf01Vmi2/FNRteDRGnF88EQD0M=; b=jWPMLRTe/nvkSQeZi+HExcKt1rtR9QiHSiQUrCoVaZ2s1/sh4442rOcwrnVZZHCyw1 aNPXbbXYrit3dnx+VIAg4IEBucmV+FNupcEq2SI2qs0ibFiqUwNruQm9ya9I4Apo2fVq NrIqrgVLYKCB4NdsGx093TWXtBfKbgYC9BztR6FhFhsFaTPbDb/dTsRFENYPri/LDOLE zI6JnPcFmZDI9MgBVDhcEoGBsVlnjfoCWqrliL2A1spxTrfSKoM14CNYazuWph1HdD8S mGgMcnX5LZnbyImxj4KB7CT5z1Qkb4PrhBtgQd7kSNnvNJa1SsUjkF/8r2CNfN0wWTT9 LK3w== X-Gm-Message-State: AOJu0YyCzkRSnXK7QEzmA6y4Go1WVuADgNZdnFi2x+dHeZKI6QSOyz4g QGAwTiBFefAWd19BV/3lbR50aYGUwECGODTQY8eQmODxP2xEfKZRLJezGwSNf0alXwP77a23eD3 Ym8xrw9M= X-Gm-Gg: AeBDiet4snmtC7qJn0aXxjtUcz1LM1v/bjKSlmCP/IbgDFiAPnyty+2h3H9cQVcTGXF qXC0YRBW1Xa5p4Henr3A6jkr2EdX8hJ85N/5wmJOGIbGgLpt1jSxhpplb+61gkkjw7fl2EjiqNJ 2R7FhZgL8rd2yPjZICJJg4zGunmdx5ADiKeiOL/CpVm9qPkStqImrFgkXZldDsweOjiqAkZNUVq tF7A9d6TwrD6LzDZgCfcxs7K7qTQKoC+pQAhQzLQLGDdvPXeLB91TQGMEvNTd5cZH7xT1XfdAdm 8yCV+JeEacdzdwwl/uj+5cK5rv1Gt5Jh3ZkhKSBN5Pyc/mOSzRpMIkPjLkCqKTpPvdaAl2pQhXM Ua/Mo45el5FQtCicRVVqR33W0V5JlfljCc4hIVnWfpGBM05ftQQTLdL+BKDfiMmEuDGn5fjLriC g8DMkmWYtsEe7kyFGBE+CFIUqNEpxCzJG6OqHbGmIUdsZqMVk5FA== X-Received: by 2002:a17:90b:134f:b0:356:2c7b:c026 with SMTP id 98e67ed59e1d1-35de691a6bamr12572945a91.23.1775481712436; Mon, 06 Apr 2026 06:21:52 -0700 (PDT) Received: from MVIN00352.mvista.com ([2401:4900:1f28:2171:fb10:85f3:b262:eebf]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35dd35f50e9sm13848829a91.6.2026.04.06.06.21.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 06:21:51 -0700 (PDT) From: Vijay Anusuri To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][patch 3/3] curl: patch CVE-2026-3784 Date: Mon, 6 Apr 2026 18:51:29 +0530 Message-ID: <20260406132129.440817-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260406132129.440817-1-vanusuri@mvista.com> References: <20260406132129.440817-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Apr 2026 13:21:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234681 pick patch from ubuntu per [1] [1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz [2] https://ubuntu.com/security/CVE-2026-3784 [3] https://curl.se/docs/CVE-2026-3784.html Signed-off-by: Vijay Anusuri --- .../curl/curl/CVE-2026-3784.patch | 77 +++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch b/meta/recipes-support/curl/curl/CVE-2026-3784.patch new file mode 100644 index 0000000000..c3bdb67247 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch @@ -0,0 +1,77 @@ +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 6 Mar 2026 14:54:09 +0100 +Subject: [PATCH] proxy-auth: additional tests + +Also eliminate the special handling for socks proxy match. + +Closes #20837 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] +Backported by Ubuntu team http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz + +CVE: CVE-2026-3784 +Signed-off-by: Vijay Anusuri +--- + lib/url.c | 35 ++++++++--------------------------- + 1 file changed, 8 insertions(+), 27 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 22ed0be..76360c8 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -703,34 +703,15 @@ proxy_info_matches(const struct proxy_info *data, + { + if((data->proxytype == needle->proxytype) && + (data->port == needle->port) && +- strcasecompare(data->host.name, needle->host.name)) +- return TRUE; ++ curl_strequal(data->host.name, needle->host.name)) { + ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) ++ return FALSE; ++ return TRUE; ++ } + return FALSE; + } +- +-static bool +-socks_proxy_info_matches(const struct proxy_info *data, +- const struct proxy_info *needle) +-{ +- if(!proxy_info_matches(data, needle)) +- return FALSE; +- +- /* the user information is case-sensitive +- or at least it is not defined as case-insensitive +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ +- +- /* curl_strequal does a case insensitive comparison, +- so do not use it here! */ +- if(Curl_timestrcmp(data->user, needle->user) || +- Curl_timestrcmp(data->passwd, needle->passwd)) +- return FALSE; +- return TRUE; +-} +-#else +-/* disabled, won't get called */ +-#define proxy_info_matches(x,y) FALSE +-#define socks_proxy_info_matches(x,y) FALSE + #endif + + /* A connection has to have been idle for a shorter time than 'maxage_conn' +@@ -1085,8 +1066,8 @@ ConnectionExists(struct Curl_easy *data, + continue; + + if(needle->bits.socksproxy && +- !socks_proxy_info_matches(&needle->socks_proxy, +- &check->socks_proxy)) ++ !proxy_info_matches(&needle->socks_proxy, ++ &check->socks_proxy)) + continue; + + if(needle->bits.httpproxy) { +-- +2.43.0 + diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index ff4524e1bd..14d63d6373 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -35,6 +35,7 @@ SRC_URI = " \ file://CVE-2026-1965-1.patch \ file://CVE-2026-1965-2.patch \ file://CVE-2026-3783.patch \ + file://CVE-2026-3784.patch \ " SRC_URI:append:class-nativesdk = " \