From patchwork Mon Jun 29 10:47:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91246 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4726C43458 for ; Mon, 29 Jun 2026 10:48:12 +0000 (UTC) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.89494.1782730089934826780 for ; Mon, 29 Jun 2026 03:48:10 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=b0l3kFEO; spf=pass (domain: cisco.com, ip: 173.37.86.79, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1805; q=dns/txt; s=iport01; t=1782730089; x=1783939689; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=al4hpehvxuX9JjpZa9LuWD7KDDH+QeBXFsCIoz54DRk=; b=b0l3kFEOiGpHeD/8KrZ/ZhKMKSFgELD84HsBW/zE1oIaTonch+Jfntwk gmaU7+V2zANPPTu8iq8rhSpZL2po+a+REiR7lF1KCrdnDWtQ15p7xBeLG 2TC1PMpy4TMxV70Kw6W9HnZL9DzdlgvmZIrEip/rAXYJ/mdA43Umho5XA 0N/Fts89Cil9YJSDhiFqd/Y9UdEdGdJ1r/n7grafk1yV7t9ojqSRfqaey f1p65I7YLF/uH4SdaCfoF1U93A5mnc4auMfsAo/j92AZc+mMYqj9z1JcI hksrYLUTtgmU1pLjZDb4OOQOIu8ScAZ4P+fKmpMAciVqwDmGHzBWxXEWe w==; X-CSE-ConnectionGUID: ffxLD4wRRoqU2u2OmHKViw== X-CSE-MsgGUID: ZjrklcSrQtWiOXj3BPa0LQ== X-IPAS-Result: A0BBAgC7TEJq/47/Ja1aHgEBCxIMggULgld0X0JJlkueHoF+DwEBAQ89FAQBAYUGjU0CJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GXTYBGAEtMFw7CYMCAYJzAgERBrYYgiyBAYMoATEFCQICQAFQ2ywBCxQBBYEzhT+IH3MBhHwnGxuBcoEVg2mBBYFcAQKCLIV4BIIigQyBeI8RSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BaYEEhH0jHwM5f4EwdVhmFTA1gQIBER4KgVInAwsYDUgRLDcUGwQ+bgeMXhcPgj1aBy0qAQEEgWgYOaVloQ8KKIN1jCGVOhozqmyZCI4KllCEaIFoPIFHCwdwFYMiCRY0GQ+OOIVqhEHCECQ1AjsBAQcCBw4DC4FokX0BAQ IronPort-Data: A9a23:aleieK2cwkbjnY9r4fbD5YJwkn2cJEfYwER7XKvMYLTBsI5bp2MFy TQZDGyBb/rYYjf1LdogO4S3oEsPvcCHztBrGws/3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX5 bsen+WFYAX7g2AuYjpOg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGAk8mGaFE5dxNBnhzr +FCDzUtTS6CmLfjqF67YrEEasULNsLnOsYb/3pn1zycVatgSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNUiaC/FMEg9/5JYWleuvgHb2aTBwo1OOrq1x6G/WpOB0+OS8a4SPK4TRFa25mG6qp HjF+2/CGCgGC924+Tje2Eql3sv2yHaTtIU6UefQGuRRqFqLy2oeDRcbWVe2rbyyjVSzc9ZeM FAPvC02oK4/8UamQtXwU1u/unHsg/IHc8BbH+t/7ESGzbDZpl7EQGMFVTVGLtchsafaWAAX6 7NApPuxbRQHjVFfYSv1Gmu8xd9qBRUoEA== IronPort-HdrOrdr: A9a23:TOJ0mKl8g+jFKtUBoe5UIWWorNLpDfIA3DAbv31ZSRFFG/FwWf rAoB19726QtN9/YhAdcLy7VZVoIkmsl6Kdg7NwAV7KZmCP0wGVxepZg7cKrQeNJ8TWzJ846U 4ZSdkcNPTASX5nkM39/A60V/wkwNWB7eSUoN229QYLcemvAJsQljuQzW2gYytLeDU= X-Talos-CUID: 9a23:xRcquGGzz3HsgNPBqmJp+l4wNpw6SEfa1UqKPhWfDEZKdryKHAo= X-Talos-MUID: 9a23:BKIpagSO1b1NicEURXTehithMMxT+Z2yN0EqoZddkfGNbQhJbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="493629038" Received: from rcdn-l-core-05.cisco.com ([173.37.255.142]) by rcdn-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 10:48:09 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-05.cisco.com (Postfix) with ESMTPS id D96CA18000344; Mon, 29 Jun 2026 10:48:08 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id 81811CC12A6; Mon, 29 Jun 2026 03:48:08 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 1/7] curl: ignore CVE-2026-4873 Date: Mon, 29 Jun 2026 03:47:51 -0700 Message-ID: <20260629104801.972184-1-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-05.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 10:48:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239746 From: Anil Dongare - CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required transfer. - In scarthgap, these protocols are optional PACKAGECONFIG entries and are not enabled by default in `curl_8.7.1.bb`. - Record this CVE as configuration-not-applicable for the default recipe configuration instead of carrying the upstream fix unconditionally. Reference: - https://curl.se/docs/CVE-2026-4873.html - https://nvd.nist.gov/vuln/detail/CVE-2026-4873 Signed-off-by: Anil Dongare --- meta/recipes-support/curl/curl_8.7.1.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 14d63d6373..ad7ceceb69 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -51,6 +51,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older" CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" +CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}" inherit autotools pkgconfig binconfig multilib_header ptest From patchwork Mon Jun 29 10:47:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91250 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 34C4CC44502 for ; Mon, 29 Jun 2026 10:48:23 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.89495.1782730092612328433 for ; Mon, 29 Jun 2026 03:48:12 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=KXI3E/c3; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2809; q=dns/txt; s=iport01; t=1782730092; x=1783939692; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=M/nm4iOss0tzANtkX6HlTXnwI9DY8Yeg/mzhbpm7Epk=; b=KXI3E/c3Epz7U8sF2rEQvVn2DAS0G6q08R5UPMQjfoWh/75/SbC+sYJG wtlw/A1gtFhqOw4hAzGjyQrajaxPoW3vTahXpeO9iOn/H+CTBS/MiJxFl SMp2Jj1E0fifqb0mtjkmZOsH6RJ0H8yo1XjMayd1PZ4GAVg3LOsvpNztG iU6S+HL4SZFHG2Bp6M5GI2YJ7TBsIa3LDQRyQFrWN1oUV7O2039WIKX48 EWP2x4APX9vAS7Unm+uNv30SE0LjJMV7j8b5C84BZTcRiEYCh8cSkzHLz 4fQ383rWpAm9iV436AhkjsWcNs3kMQxU9sl2CAToymXUA2b1UJVLeNP3Q Q==; X-CSE-ConnectionGUID: /eWckEDISauxNoFCtmARjA== X-CSE-MsgGUID: DXgdV2oTTeGPhUzxvUdFYQ== X-IPAS-Result: A0BHAgBFTEJq/5P/Ja1aglmCV3RfQkmWSwOeG4F+DwEBAQ9EDQQBAYUGAo1LAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDJwsBGAEtEBwDAQIvKyMIGYMCAYJzAgERBrYPgXkzgQGDKAExBQkCAkABUNssAQsUAQWBM4U/iB9bGAGEfCcbG4FygRWDaYEFgVwBAQGBJipchXgEgiKBDIFajy9IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFpgQSEfSMfAzl/gTB1WGYVMDWBAgERHgqBUicDCxgNSBEsNxQbBD5uB4xeFw+CPQEFJzQtASkCIIIdBaVgoQ8KKIN1jCGVOhozqmyZCI4KllCEaIFoPIFHCwdwFYMiCRY0GQ+OOINrgX+EQcIQJDUCCTIBAQcCBw4DC4FokAACJoFVAQE IronPort-Data: A9a23:/Gl1la26QHBvsNSNMfbD5YJwkn2cJEfYwER7XKvMYLTBsI5bpzACy mAXDWCHaPzZa2akLYhwbIvgoE1XvcKHydE2TQs+3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX5 bsen+WFYAX7g2AuYjpOg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGS0wJNo411sdMCHxe0 /s2AywIRyqBrrfjqF67YrEEasULNsLnOsYb/3pn1zycVK5gSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNUifC/FMEg9/5JYWleuvgHb2aTBwo1OOrq1x6G/WpOB0+OW1aoCPJITQGa25mG60l m3KwT7+Pi0XG+Sf9CiV7E+gqN72yHaTtIU6UefQGuRRqFqLy2oeDRcbWVe2rbyyjVSzc9ZeM FAPvC02oK4/8UamQtXwU1u/unHsg/IHc8BbH+t/7ESGzbDZpl/BQGMFVTVGLtchsafaWAAX6 7NApPuxbRQHjVFfYSv1Gmu8xd9qBRUoEA== IronPort-HdrOrdr: A9a23:uin7Oa6QWqEkC7XTugPXwBDXdLJyesId70hD6qm+c3Nom6uj5q eTdZsgtCMc5Ax9ZJhko6HjBEDiewK5yXcW2+ks1N6ZNWGM0ldAbrsSiLcKqAePJ8SRzIJgPI 5bAs5D4aXLfDtHpPe/xhWkGNA9x9TC2qWpieDCi0pJd2hRGthdB8MTMHfhLqWwLzM2faYEKA == X-Talos-CUID: 9a23:+N9G725EWyX9qQPHedsss0MrEcMIXlzmxWrABUiWInpsYYeXYArF X-Talos-MUID: 9a23:E0Ii/Qim1cbrg9zR+zYaesMpGPdn75r0D3wxnLo+u/SWJTJNNxmstWHi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="502226024" Received: from rcdn-l-core-10.cisco.com ([173.37.255.147]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 10:48:11 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-10.cisco.com (Postfix) with ESMTPS id 9A2F518000897; Mon, 29 Jun 2026 10:48:11 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id 478F5CC12A6; Mon, 29 Jun 2026 03:48:11 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 2/7] curl: fix CVE-2026-5545 Date: Mon, 29 Jun 2026 03:47:52 -0700 Message-ID: <20260629104801.972184-2-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629104801.972184-1-adongare@cisco.com> References: <20260629104801.972184-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-10.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 10:48:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239747 From: Anil Dongare Backport the upstream fix [1] for the Negotiate-authenticated connection reuse issue described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd [2] https://curl.se/docs/CVE-2026-5545.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-5545 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-5545.patch | 44 +++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5545.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-5545.patch b/meta/recipes-support/curl/curl/CVE-2026-5545.patch new file mode 100644 index 0000000000..34400176f0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-5545.patch @@ -0,0 +1,44 @@ +From b98d817a2c168834747ba4721b8d66cd1e683578 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 5 Jun 2026 01:17:44 -0700 +Subject: [PATCH] url: improve connection reuse on negotiate + +Check state of negotiate to allow proper connection reuse. + +Closes #21203 + +CVE: CVE-2026-5545 +Upstream-Status: Backport [https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd] + +Backport Changes: +- curl-8.7.1 still performs the NTLM/Negotiate reuse logic inline in + ConnectionExists(), so the upstream guard was adapted there. + +(cherry picked from commit 33e43985b8f3b9e66691d06e70be0395849856cd) +Signed-off-by: Anil Dongare +--- + lib/url.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 759a994..34a3470 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1226,8 +1226,14 @@ ConnectionExists(struct Curl_easy *data, + Curl_timestrcmp(needle->passwd, check->passwd)) { + + /* we prefer a credential match, but this is at least a connection +- that can be reused and "upgraded" to NTLM */ ++ that can be reused and "upgraded" to NTLM if it does ++ not have any auth ongoing. */ ++#ifdef USE_SPNEGO ++ if((check->http_ntlm_state == NTLMSTATE_NONE) && ++ (check->http_negotiate_state == GSS_AUTHNONE)) ++#else + if(check->http_ntlm_state == NTLMSTATE_NONE) ++#endif + chosen = check; + continue; + } +-- +2.43.7 diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index ad7ceceb69..5d0133f605 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -36,6 +36,7 @@ SRC_URI = " \ file://CVE-2026-1965-2.patch \ file://CVE-2026-3783.patch \ file://CVE-2026-3784.patch \ + file://CVE-2026-5545.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Mon Jun 29 10:47:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91249 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F2C6C44500 for ; Mon, 29 Jun 2026 10:48:23 +0000 (UTC) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.34945.1782730092615112411 for ; Mon, 29 Jun 2026 03:48:12 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=iCxD7TTi; spf=pass (domain: cisco.com, ip: 173.37.86.72, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1949; q=dns/txt; s=iport01; t=1782730092; x=1783939692; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1TSnukYQIcd+/W2tgH8+YHy6KAAyWU9lMPYSbir39aM=; b=iCxD7TTi34mlihO7gn7y5E9+sXs6z6MFEF2fi8v6zCuAfH//Zqd4Uirm bPLhJyh354MTFn9AsNvRdor/Kff1VP1AudRqJS4J/J13qrnZBxwCLXeyX Fup+lIcULq4BMtGXI1Zk3E2mlQxfWADUmYEa9/Jc0huN1/kaSaGqAzRSY pJ0+9PtjK08BZ26nCH22K0C4tGeE0+4dVJ0iMx81vjbYaoTMNZ+afq9Kd Lh6ghyyG9lDVRAMjVS2klmCchBJkM/rVRnM843XlfaZtuMnUTzrB3t8w/ 6pWhhlwCENRnnTqRTUUW3z+9rDKmrgYOmD+bWtyypUv2oXPMFJaCvW+lP g==; X-CSE-ConnectionGUID: kXwAtDQcT3OsMZ7dVSW6zA== X-CSE-MsgGUID: QR4e+SRSR9Kht8SmZ5l1OA== X-IPAS-Result: A0BFAgBFTEJq/5L/Ja1aglmCV3RfQkmWSwOeG4F+DwEBAQ9KBwQBAYUGAo1LAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhlsCAQMyARgBLRAgMSsrGYMCAYJzAgERBrYPgiyBAYMoATEFCQICQAFQ2ywBCxQBBYEzhT+IH3MBhHwnGxuBcoQIdoEFgVwBAQGCLIV4BIIigQyBeI8RSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BaYEEhH0jHwM5f4EwdVhmFTA1gQIBER4KgVInAwsYDUgRLDcUGwQ+bgeMXhcPgj1hLSoCBIFoUaVloQ8KKIN1jCGVOhozqmyZCI4KllCEaIFoPIFHCwdwFYMiCRY0GQ+OLQsLg2CBf4RBwhAkNQIBOgEBBwIHDgMLgWiRfQEB IronPort-Data: A9a23:oZ0mp6D2FOeu7BVW/3jiw5YqxClBgxIJ4kV8jS/XYbTApGwk32RVm GQYWWCDM62CNmP0L4xzPYSzox8H7ZfVm9MwOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jX2thh fuo+5eBYAH/i2YuWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TEwMVxJV0aBIYkocFsJFMR+ cIjF24fR0XW7w626OrTpuhEnM8vKozveYgYoHwllWCfBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGYxBPjDS0Un1lM/AZ45muihnHTXeDxDo1XTrq0yi4TW5FEpieaxb4eMJLRmQ+1spBqV5 Vn8xF6oIREGZOea+2eBq1WF07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KFpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOb9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:p4niT6yIIzZau4ZmeiNYKrPw9L1zdoMgy1knxilNoNJuHfBw8P re+8jzuiWUtN98YhwdcJW7Scu9qBDnhPpICOsqXYtKNTOO0ADDEGgh1/qG/9SKIUPDH4BmuZ uIWpIObuEYdWIK7vrS0U2fD8sqxsWB/eSDgOfTyGoocCRRApsQljuQzm2gYzZLrM4sP+tAKK ah X-Talos-CUID: 9a23:M330jmlgHh37umnjZiEQM9Cdl03XOX7t017MD3azNT1OU5inFlOuw5w6geM7zg== X-Talos-MUID: 9a23:wmt5jAzQu2ZuZpYag+OptiJXYZaaqJ2UVE1Oqq89gZinNTAgADKv0TDuZaZyfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="501647516" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by rcdn-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 10:48:11 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id A0C1C180004A0; Mon, 29 Jun 2026 10:48:11 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id 4BB98CC12A7; Mon, 29 Jun 2026 03:48:11 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 3/7] curl: ignore CVE-2026-5773 Date: Mon, 29 Jun 2026 03:47:53 -0700 Message-ID: <20260629104801.972184-3-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629104801.972184-1-adongare@cisco.com> References: <20260629104801.972184-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 10:48:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239748 From: Anil Dongare - CVE-2026-5773 affects curl before 8.20.0 when an authenticated SMB connection can be reused for a different set of credentials. - In scarthgap, SMB support is available only as optional `PACKAGECONFIG[smb]` and is not enabled by default for target, native, or nativesdk builds. - I also did not find any scarthgap metadata in this tree that enables SMB, so record this CVE as configuration-not-applicable instead of carrying the SMB(S) reuse fix unconditionally. Reference: - https://curl.se/docs/CVE-2026-5773.html - https://nvd.nist.gov/vuln/detail/CVE-2026-5773 - https://github.com/openembedded/openembedded-core/blob/scarthgap/meta/recipes-support/curl/curl_8.7.1.bb Signed-off-by: Anil Dongare --- meta/recipes-support/curl/curl_8.7.1.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 5d0133f605..705b00351f 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -53,6 +53,7 @@ CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of conten CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}" +CVE_STATUS[CVE-2026-5773] = "${@bb.utils.contains('PACKAGECONFIG', 'smb', 'unpatched', 'not-applicable-config: smb support is not enabled in PACKAGECONFIG', d)}" inherit autotools pkgconfig binconfig multilib_header ptest From patchwork Mon Jun 29 10:47:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91247 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5BA1C43458 for ; Mon, 29 Jun 2026 10:48:22 +0000 (UTC) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.89497.1782730094892112337 for ; Mon, 29 Jun 2026 03:48:15 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=LSzS80bD; spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=11651; q=dns/txt; s=iport01; t=1782730094; x=1783939694; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HYL3pQuMtc1hP9tn7jAhBo+HiYuXH8xer4LAviyfHD4=; b=LSzS80bDysACim+X5xej1UTBL3MIhiZWX66d2Rgy+GV/5SRMWDLPwPFJ S2eQjOvMsF4VxGaZE6AsHA1IJeISZVlv7P5AdXdGUoQnew3WfzjfgWgsZ SzIRqBlvnuinqRTOSaptC/vgqsu7R1DIL4xR3g/Jb9HsATN5XvfEfdeHf dGyJOxUcgI7M+lLaSZT/C0C5zFl7f6LZdTiBThMmlcDl1sLutdxcNyFos ISVKPDLgKUtN8gjl8XPfqnJ/iQBsI0w7hidPBw7lU3H7fkYyUZpZQsh8A ixZ1iqEIaiHGDnwx2RUPjnOaJG2u89CMdJGj0JT5jjZCUdFX7JG1fvTt8 g==; X-CSE-ConnectionGUID: fKp4De3zSWuECPZzc494Ag== X-CSE-MsgGUID: yVtaTDOURvue9PeVf9vn7Q== X-IPAS-Result: A0BJAgC7TEJq/5H/Ja1aglmCV3RfQkmWSwOeGxSBag8BAQEPRA0EAQGFBgKNSwImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAycLARgBGxIQHAMBAi8rIwgQCYMCAYJzAgERBrYYgXkzgQGDKAExBQkCAkABUNssAQsUAQWBM4U/iB9bGAGEfCcbG4FyhH6BBYFcAQEBgUYBhl0EgiKBDIFagj+McEiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgWmBBIR9Ix8DOX+BMHVYZhUwNYECAREeCoFSJwMLGA1IESw3FBsEPm4HjF4XD4I8AWEkCQEHDBYBAYEgYgkyCx6SaBUBGpADgiGBNZ9aCiiDdYwhlToaM4VbpRGZCI4KlWhohGiBaDyBRwsHcBU7gmcJFjQZD44tCwuBeIFogX+EQcIQJDUCCTIBAQcCBw4DC4FokX0BAQ IronPort-Data: A9a23:wKTnF65iX5J8b+eQJUabjwxRtGnGchMFZxGqfqrLsTDasY5as4F+v jFMWTuGbPqIM2enfdwkOtvlp0lQvpeGzIBiSFNtrC8wZn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo/6UzBHf/g2QqajxOu/rZwP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eM64Apsp6WnN1y uE1Awg/fBvf1r6fz+fuIgVsrpxLwMjDJogTvDRkiDreF/tjGcCFSKTR7tge1zA17ixMNa+BP IxCNnw1MUmGOkESUrsUIMpWcOOAj3X4dTJRsl+9rqss6G+Vxwt0uFToGIeNI4XQFJ4EwS50o ErXwXjwPj09CeaB1DfUyn+SiL7Rm3zCDdd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hgu1XMhSA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBUCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3u78Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:hNWm1qF689hqj/j1pLqEMMeALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHPxOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1/J 0QFZSWcOeAbmRSvILd/BSyFcomzZ2s9aClgvqb8lJWJDsaEp2JK2xCe32m+oocfng/OaYE X-Talos-CUID: 9a23:bL+5d2FW66QdsurpqmJp11ZINs1+YEbi0Vr7G32qAjo4FJSaHAo= X-Talos-MUID: 9a23:z0IDwQ4aQvBXkMfGYPxCPDhqxox53binNGwqrK8YpsTVDSFONWaDimuOF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="501129397" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 10:48:11 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id A891918000455; Mon, 29 Jun 2026 10:48:11 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id 4F4ABCC12A8; Mon, 29 Jun 2026 03:48:11 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 4/7] curl: fix CVE-2026-6253 Date: Mon, 29 Jun 2026 03:47:54 -0700 Message-ID: <20260629104801.972184-4-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629104801.972184-1-adongare@cisco.com> References: <20260629104801.972184-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 10:48:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239752 From: Anil Dongare Backport the upstream fix [1] for the proxy credential leak on redirect described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f [2] https://curl.se/docs/CVE-2026-6253.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6253 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-6253.patch | 391 ++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 392 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6253.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-6253.patch b/meta/recipes-support/curl/curl/CVE-2026-6253.patch new file mode 100644 index 0000000000..3ad6186fef --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-6253.patch @@ -0,0 +1,391 @@ +From c33bf4f354de43890aa6fd9dc52872a9f799068c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 5 Jun 2026 01:18:43 -0700 +Subject: [PATCH] http: clear the proxy credentials as well on port or scheme + change + +Add tests 2009-2011 to verify switching between proxies with credentials +when the switch is driven by a redirect + +Reported-by: Dwij Mehta + +Closes #21304 + +CVE: CVE-2026-6253 +Upstream-Status: Backport [https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f] + +Backport Changes: +- curl-8.7.1 carries the redirect logic in lib/transfer.c via Curl_follow(), + so the credential reset changes were adapted there. +- The upstream Curl_reset_proxypwd() helper also includes a + CURL_DISABLE_PROXY fallback hunk; that hunk is not carried in this 8.7.1 + backport. +- curl-8.7.1 uses tests/data/Makefile.inc instead of the upstream + tests/data/Makefile.am list. + +(cherry picked from commit 188c2f166a20fa97c2325b2da7d0e5cecc13725f) +Signed-off-by: Anil Dongare +--- + lib/transfer.c | 56 ++++++++++++++++++++++++-------- + lib/transfer.h | 2 ++ + tests/data/Makefile.inc | 1 + + tests/data/test2009 | 70 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test2010 | 71 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test2011 | 70 ++++++++++++++++++++++++++++++++++++++++ + 6 files changed, 257 insertions(+), 13 deletions(-) + create mode 100644 tests/data/test2009 + create mode 100644 tests/data/test2010 + create mode 100644 tests/data/test2011 + +diff --git a/lib/transfer.c b/lib/transfer.c +index ccd042b..a734629 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -553,6 +553,35 @@ void Curl_init_CONNECT(struct Curl_easy *data) + data->state.upload = (data->state.httpreq == HTTPREQ_PUT); + } + ++/* ++ * Restore the user credentials to those set in options. ++ */ ++CURLcode Curl_reset_userpwd(struct Curl_easy *data) ++{ ++ CURLcode result; ++ if(data->set.str[STRING_USERNAME] || data->set.str[STRING_PASSWORD]) ++ data->state.creds_from = CREDS_OPTION; ++ result = Curl_setstropt(&data->state.aptr.user, ++ data->set.str[STRING_USERNAME]); ++ if(!result) ++ result = Curl_setstropt(&data->state.aptr.passwd, ++ data->set.str[STRING_PASSWORD]); ++ return result; ++} ++ ++/* ++ * Restore the proxy credentials to those set in options. ++ */ ++CURLcode Curl_reset_proxypwd(struct Curl_easy *data) ++{ ++ CURLcode result = Curl_setstropt(&data->state.aptr.proxyuser, ++ data->set.str[STRING_PROXYUSERNAME]); ++ if(!result) ++ result = Curl_setstropt(&data->state.aptr.proxypasswd, ++ data->set.str[STRING_PROXYPASSWORD]); ++ return result; ++} ++ + /* + * Curl_pretransfer() is called immediately before a transfer starts, and only + * once for one transfer no matter if it has redirects or do multi-pass +@@ -700,21 +729,10 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) + return CURLE_OUT_OF_MEMORY; + } + +- if(data->set.str[STRING_USERNAME] || +- data->set.str[STRING_PASSWORD]) +- data->state.creds_from = CREDS_OPTION; +- if(!result) +- result = Curl_setstropt(&data->state.aptr.user, +- data->set.str[STRING_USERNAME]); +- if(!result) +- result = Curl_setstropt(&data->state.aptr.passwd, +- data->set.str[STRING_PASSWORD]); + if(!result) +- result = Curl_setstropt(&data->state.aptr.proxyuser, +- data->set.str[STRING_PROXYUSERNAME]); ++ result = Curl_reset_userpwd(data); + if(!result) +- result = Curl_setstropt(&data->state.aptr.proxypasswd, +- data->set.str[STRING_PROXYPASSWORD]); ++ result = Curl_reset_proxypwd(data); + + data->req.headerbytecount = 0; + Curl_headers_cleanup(data); +@@ -759,6 +777,7 @@ CURLcode Curl_follow(struct Curl_easy *data, + bool disallowport = FALSE; + bool reachedmax = FALSE; + CURLUcode uc; ++ CURLcode result; + + DEBUGASSERT(type != FOLLOW_NONE); + +@@ -889,12 +908,23 @@ CURLcode Curl_follow(struct Curl_easy *data, + free(scheme); + } + if(clear) { ++ result = Curl_reset_userpwd(data); ++ if(result) { ++ free(newurl); ++ return result; ++ } + Curl_safefree(data->state.aptr.user); + Curl_safefree(data->state.aptr.passwd); + } + } + } + ++ result = Curl_reset_proxypwd(data); ++ if(result) { ++ free(newurl); ++ return result; ++ } ++ + if(type == FOLLOW_FAKE) { + /* we're only figuring out the new url if we would've followed locations + but now we're done so we can get out! */ +diff --git a/lib/transfer.h b/lib/transfer.h +index e65b2b1..f1a791f 100644 +--- a/lib/transfer.h ++++ b/lib/transfer.h +@@ -31,6 +31,8 @@ char *Curl_checkheaders(const struct Curl_easy *data, + + void Curl_init_CONNECT(struct Curl_easy *data); + ++CURLcode Curl_reset_userpwd(struct Curl_easy *data); ++CURLcode Curl_reset_proxypwd(struct Curl_easy *data); + CURLcode Curl_pretransfer(struct Curl_easy *data); + CURLcode Curl_posttransfer(struct Curl_easy *data); + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 9fb9274..aafd309 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -231,6 +231,7 @@ test1955 test1956 test1957 test1958 test1959 test1960 test1964 \ + test1970 test1971 test1972 test1973 test1974 test1975 \ + \ + test2000 test2001 test2002 test2003 test2004 test2005 test2006 \ ++test2009 test2010 test2011 \ + \ + test2023 \ + test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \ +diff --git a/tests/data/test2009 b/tests/data/test2009 +new file mode 100644 +index 0000000..d2fd79e +--- /dev/null ++++ b/tests/data/test2009 +@@ -0,0 +1,70 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++http_proxy ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 407 Denied ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Content-Type: text/html ++Location: https://another.example/%TESTNUMBER0002 ++ ++boo ++ ++ ++ ++# Client-side ++ ++ ++proxy ++ ++ ++http ++https ++ ++ ++proxy credentials via env variables, redirect from http to https ++ ++ ++ ++http_proxy=http://user:secret@%HOSTIP:%HTTPPORT ++https_proxy=https://%HOSTIP:%HTTPSPORT/ ++ ++ ++http://somewhere.example/ --follow --proxy-insecure ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET http://somewhere.example/ HTTP/1.1 ++Host: somewhere.example ++Proxy-Authorization: Basic %b64[user:secret]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++CONNECT another.example:443 HTTP/1.1 ++Host: another.example:443 ++User-Agent: curl/%VERSION ++Proxy-Connection: Keep-Alive ++ ++ ++ ++7 ++ ++ ++ +diff --git a/tests/data/test2010 b/tests/data/test2010 +new file mode 100644 +index 0000000..443ae9d +--- /dev/null ++++ b/tests/data/test2010 +@@ -0,0 +1,71 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++http_proxy ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 407 Denied ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Content-Type: text/html ++Location: https://another.example/%TESTNUMBER0002 ++ ++boo ++ ++ ++ ++# Client-side ++ ++ ++proxy ++ ++ ++http ++https ++ ++ ++proxy credentials via options for two proxies, redirect from http to https ++ ++ ++ ++http_proxy=http://%HOSTIP:%HTTPPORT ++https_proxy=https://%HOSTIP:%HTTPSPORT/ ++ ++ ++--proxy-user batman:robin http://somewhere.example/ --follow --proxy-insecure ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET http://somewhere.example/ HTTP/1.1 ++Host: somewhere.example ++Proxy-Authorization: Basic %b64[batman:robin]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++CONNECT another.example:443 HTTP/1.1 ++Host: another.example:443 ++Proxy-Authorization: Basic %b64[batman:robin]b64% ++User-Agent: curl/%VERSION ++Proxy-Connection: Keep-Alive ++ ++ ++ ++7 ++ ++ ++ +diff --git a/tests/data/test2011 b/tests/data/test2011 +new file mode 100644 +index 0000000..dd4e534 +--- /dev/null ++++ b/tests/data/test2011 +@@ -0,0 +1,70 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++http_proxy ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 407 Denied ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Content-Type: text/html ++Location: https://another.example/%TESTNUMBER0002 ++ ++boo ++ ++ ++ ++# Client-side ++ ++ ++proxy ++ ++ ++http ++https ++ ++ ++proxy creds via env, cross-scheme redirect, --location-trusted ++ ++ ++ ++http_proxy=http://user:secret@%HOSTIP:%HTTPPORT ++https_proxy=https://%HOSTIP:%HTTPSPORT/ ++ ++ ++http://somewhere.example/ --location-trusted --proxy-insecure ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET http://somewhere.example/ HTTP/1.1 ++Host: somewhere.example ++Proxy-Authorization: Basic %b64[user:secret]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++CONNECT another.example:443 HTTP/1.1 ++Host: another.example:443 ++User-Agent: curl/%VERSION ++Proxy-Connection: Keep-Alive ++ ++ ++ ++7 ++ ++ ++ +-- +2.43.7 diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 705b00351f..cead7fe6d4 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -37,6 +37,7 @@ SRC_URI = " \ file://CVE-2026-3783.patch \ file://CVE-2026-3784.patch \ file://CVE-2026-5545.patch \ + file://CVE-2026-6253.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Mon Jun 29 10:47:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91251 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08676C43638 for ; Mon, 29 Jun 2026 10:48:23 +0000 (UTC) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.34947.1782730092869442519 for ; Mon, 29 Jun 2026 03:48:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=CFxMcHrs; spf=pass (domain: cisco.com, ip: 173.37.86.77, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=12008; q=dns/txt; s=iport01; t=1782730092; x=1783939692; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=M/UA6ag285o0KISDa2a++LhMn9eB9lBpi9Mk0kGwz2U=; b=CFxMcHrs8rcquWub4O2fgUNdz3hTgMIHLWIVNeeAiaD3HzCiaLFkm3cP cjDjot6kocZ8LX/5VIfsNPsWxVrqquTGfQyhpd3IfHVtlwi4eoyamx3lb /4hHUhkUwcyzwTqZiarSCVJ6YwC/5EOPwb6fkiYwVmfqN2APX9z9wDqyG qpe2yWom5fo/AxG8VZ5LTVdNef6mb3ePjoAZ8EBqqTVJqOXTvYUuIz3He sHkp+VgMM9Q1xiAmTGxNfLuTsmosU4iP6hM53EWuqeQ6pJYklyZ8Ppi6D cN3D5Uc0dZwnlb+r8BrKUoGK0tGJXNDLpeUwf3Hyq8un6r8eCXr+gU2rx g==; X-CSE-ConnectionGUID: vT2A90vlR/ex8ijeU/VfEQ== X-CSE-MsgGUID: 4PY1kugmRWu8iQxUoT4NEg== X-IPAS-Result: A0AIAABFTEJq/43/Ja1aGwEBAQEBAQEBBQEBARIBAQEDAwEBAYF8BgEBAQsBglZ0X0JJjHOJWAOeGxSBag8BAQEPRA0EAQGBcQEggnQCjUsCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAS0QHAMBAi8rIwgZgwIBgnMCAREGtg+BeTOBAYMoATEFCQICQAFQ2ywBCxQBBYEzAYU+iB9bGAGEfCcbG4FygRWDaYEFgTIqAQEBgSIlhl0EgiKBDIFaHoF6J4Fhiw9IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFpgQSEfSMfAzl/gTB1WGYVMDWBAgERHgqBUicDCxgNSBEsNxQbBD5uB4xeFw+CPTEpBgEaBwwBExYBAS9WE2o7Cx6SdAcdkAOCIYE1n1oKKIN1jCGVOhozhVulEZkIjgqIK41VUIRogWg8gUcLB3AVgyIJFjQZD1eNVgsLg2CBf4RBwhAkNQIJMgEBBwIHDgMLgWiRfQEB IronPort-Data: A9a23:2/RKxaAlpHzGJhVW/3jiw5YqxClBgxIJ4kV8jS/XYbTApD8r0zEOy WIYCGHQbKvcYWXzKNokbYzno0lUvpbWn9JiOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jX2thh fuo+5eBYAH/i2YuWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TE3ck0JRBuI4kivetnUWBM+ MFfFj4gV0XW7w626OrTpuhEnM8vKozveYgYoHwllW2fBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGY2BPjDS0Un1lM/AZ45muihnHTXeDxDo1XTrq0yi4TW5FEpiuCzboqEI7RmQ+0JpnfBp X/J+l7GH0EbDcyizgbZ1F+j07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KIpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOT9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:d9TvnqkQVqvMwm5pu4FuXyvV1ZPpDfL03DAbv31ZSRFFG/FwWf rAoB19726StN9/YhAdcLy7VZVoBEmsl6KdgrNhWYtKPjOHhILAFugLhuHfKn/bakjDH4Vmu5 uIHZITNDTYNykdsS+D2njaL/8QhP+a7auvmeDSi11pTQ1sduVcyj0RMHfjLqWzLzM2fqbQ0/ Gnl7J6mwY= X-Talos-CUID: 9a23:VXGoWGlb2kFuLGwSIMGheYftGC/XOWPhll6Be1G8MyFkWO2US1Ktv51qvvM7zg== X-Talos-MUID: 9a23:kwWzygzvGtVKtX2xsUkjVQ/QUhmaqPiWORkOjJoDgfaZZS1JKwqasGiRb4Byfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="502066891" Received: from rcdn-l-core-04.cisco.com ([173.37.255.141]) by rcdn-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 10:48:11 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-04.cisco.com (Postfix) with ESMTPS id A98A918000491; Mon, 29 Jun 2026 10:48:11 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id 544ABCC12A9; Mon, 29 Jun 2026 03:48:11 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 5/7] curl: fix CVE-2026-6276 Date: Mon, 29 Jun 2026 03:47:55 -0700 Message-ID: <20260629104801.972184-5-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629104801.972184-1-adongare@cisco.com> References: <20260629104801.972184-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-04.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 10:48:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239749 From: Anil Dongare Backport the upstream fix [1] for the stale custom Host cookie leak described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db [2] https://curl.se/docs/CVE-2026-6276.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6276 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-6276.patch | 338 ++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 339 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6276.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-6276.patch b/meta/recipes-support/curl/curl/CVE-2026-6276.patch new file mode 100644 index 0000000000..fc4d704cd2 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-6276.patch @@ -0,0 +1,338 @@ +From 5b15ebefcadb79cfdfd9236a3915469dded3d789 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 5 Jun 2026 01:19:43 -0700 +Subject: [PATCH] urldata: move cookiehost to struct SingleRequest + +To make it scoped for the single request appropriately. + +Reported-by: Muhamad Arga Reksapati + +Verify with libtest 2504: a custom Host *disabled* on reused handle + +Closes #21312 + +CVE: CVE-2026-6276 +Upstream-Status: Backport [https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db] + +Backport Changes: +- curl-8.7.1 still stores the custom Host cookie override in + data->state.aptr on this older tree. This backport moves that state into + struct SingleRequest in the 8.7.1 layout and wires the matching cleanup + through Curl_http_host(), Curl_req_hard_reset(), Curl_close(), and + lib/urldata.h. +- curl-8.7.1 uses tests/data/Makefile.inc and tests/libtest/Makefile.inc + instead of the upstream Automake lists touched by the original commit. + +(cherry picked from commit 3a19987a87f393d9394fe5acc7643f6c263c92db) +Signed-off-by: Anil Dongare +--- + lib/http.c | 15 +++--- + lib/request.c | 3 ++ + lib/request.h | 3 ++ + lib/url.c | 4 ++-- + lib/urldata.h | 1 - + tests/data/Makefile.inc | 2 +- + tests/data/test2504 | 52 +++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +- + tests/libtest/lib2504.c | 93 ++++++++++++++++++++++++++++++++++++++ + 9 files changed, 168 insertions(+), 10 deletions(-) + create mode 100644 tests/data/test2504 + create mode 100644 tests/libtest/lib2504.c + +diff --git a/lib/http.c b/lib/http.c +index 3ab6d21..d2de421 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1748,6 +1748,9 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + data->state.first_remote_protocol = conn->handler->protocol; + } + Curl_safefree(aptr->host); ++#if !defined(CURL_DISABLE_COOKIES) ++ Curl_safefree(data->req.cookiehost); ++#endif + + ptr = Curl_checkheaders(data, STRCONST("Host")); + if(ptr && (!data->state.this_is_a_follow || +@@ -1782,8 +1785,8 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + if(colon) + *colon = 0; /* The host must not include an embedded port number */ + } +- Curl_safefree(aptr->cookiehost); +- aptr->cookiehost = cookiehost; ++ Curl_safefree(data->req.cookiehost); ++ data->req.cookiehost = cookiehost; + } + #endif + +@@ -2302,8 +2305,8 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + int count = 0; + + if(data->cookies && data->state.cookie_engine) { +- const char *host = data->state.aptr.cookiehost ? +- data->state.aptr.cookiehost : conn->host.name; ++ const char *host = data->req.cookiehost ? ++ data->req.cookiehost : conn->host.name; + const bool secure_context = + conn->handler->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS) || + strcasecompare("localhost", host) || +@@ -3121,8 +3124,8 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + if(v) { + /* If there is a custom-set Host: name, use it here, or else use + * real peer host name. */ +- const char *host = data->state.aptr.cookiehost? +- data->state.aptr.cookiehost:conn->host.name; ++ const char *host = data->req.cookiehost? ++ data->req.cookiehost:conn->host.name; + const bool secure_context = + conn->handler->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS) || + strcasecompare("localhost", host) || +diff --git a/lib/request.c b/lib/request.c +index b3b0582..9bede2e 100644 +--- a/lib/request.c ++++ b/lib/request.c +@@ -111,6 +111,9 @@ void Curl_req_hard_reset(struct SingleRequest *req, struct Curl_easy *data) + * free this safely without leaks. */ + Curl_safefree(req->p.http); + Curl_safefree(req->newurl); ++#ifndef CURL_DISABLE_COOKIES ++ Curl_safefree(req->cookiehost); ++#endif + Curl_client_reset(data); + if(req->sendbuf_init) + Curl_bufq_reset(&req->sendbuf); +diff --git a/lib/request.h b/lib/request.h +index 488fbdd..17d50a3 100644 +--- a/lib/request.h ++++ b/lib/request.h +@@ -118,6 +118,9 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++#ifndef CURL_DISABLE_COOKIES ++ char *cookiehost; ++#endif + #ifndef CURL_DISABLE_COOKIES + unsigned char setcookies; + #endif +diff --git a/lib/url.c b/lib/url.c +index 34a3470..d34b494 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -313,7 +313,9 @@ CURLcode Curl_close(struct Curl_easy **datap) + Curl_safefree(data->state.aptr.rangeline); + Curl_safefree(data->state.aptr.ref); + Curl_safefree(data->state.aptr.host); +- Curl_safefree(data->state.aptr.cookiehost); ++#ifndef CURL_DISABLE_COOKIES ++ Curl_safefree(data->req.cookiehost); ++#endif + Curl_safefree(data->state.aptr.rtsp_transport); + Curl_safefree(data->state.aptr.user); + Curl_safefree(data->state.aptr.passwd); +diff --git a/lib/urldata.h b/lib/urldata.h +index b68d023..4fc595a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1339,7 +1339,6 @@ struct UrlState { + char *rangeline; + char *ref; + char *host; +- char *cookiehost; + char *rtsp_transport; + char *te; /* TE: request header */ + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index aafd309..9278dac 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -251,7 +251,7 @@ test2300 test2301 test2302 test2303 test2304 test2305 test2306 test2307 \ + \ + test2400 test2401 test2402 test2403 test2404 \ + \ +-test2500 test2501 test2502 test2503 \ ++test2500 test2501 test2502 test2503 test2504 \ + \ + test2600 test2601 test2602 test2603 \ + \ +diff --git a/tests/data/test2504 b/tests/data/test2504 +new file mode 100644 +index 0000000..8cec1c8 +--- /dev/null ++++ b/tests/data/test2504 +@@ -0,0 +1,52 @@ ++ ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: server.example.com ++Content-Length: 47 ++Set-Cookie: sid=SECRET123; Path=/ ++ ++file contents should appear once for each file ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++lib%TESTNUMBER ++ ++ ++custom Host with cookie, handle reuse, no custom Host: ++ ++ ++http://%HOSTIP:%HTTPPORT ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET / HTTP/1.1 ++Host: victim.internal ++Accept: */* ++ ++GET / HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++ ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 9f7cec6..4653d12 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -75,7 +75,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect libprereq \ + lib1970 lib1971 lib1972 lib1973 lib1974 lib1975 \ + lib2301 lib2302 lib2304 lib2305 lib2306 \ + lib2402 lib2404 \ +- lib2502 \ ++ lib2502 lib2504 \ + lib3010 lib3025 lib3026 lib3027 \ + lib3100 lib3101 lib3102 lib3103 + +@@ -684,6 +684,9 @@ lib2404_LDADD = $(TESTUTIL_LIBS) + lib2502_SOURCES = lib2502.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib2502_LDADD = $(TESTUTIL_LIBS) + ++lib2504_SOURCES = lib2504.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib2504_LDADD = $(TESTUTIL_LIBS) ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + +diff --git a/tests/libtest/lib2504.c b/tests/libtest/lib2504.c +new file mode 100644 +index 0000000..72b965d +--- /dev/null ++++ b/tests/libtest/lib2504.c +@@ -0,0 +1,93 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Linus Nielsen Feltzing ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++#include "first.h" ++ ++#include "testtrace.h" ++ ++static size_t sink2504(char *ptr, size_t size, size_t nmemb, void *ud) ++{ ++ (void)ptr; ++ (void)ud; ++ return size * nmemb; ++} ++ ++static void dump_cookies2504(CURL *h, const char *tag) ++{ ++ struct curl_slist *cookies = NULL; ++ struct curl_slist *nc; ++ CURLcode rc = curl_easy_getinfo(h, CURLINFO_COOKIELIST, &cookies); ++ ++ curl_mprintf("== %s ==\n", tag); ++ if(rc) { ++ curl_mprintf("getinfo error: %d\n", (int)rc); ++ return; ++ } ++ for(nc = cookies; nc; nc = nc->next) ++ puts(nc->data); ++ curl_slist_free_all(cookies); ++} ++ ++static CURLcode test_lib2504(const char *URL) ++{ ++ CURL *curl; ++ CURLcode result = CURLE_OUT_OF_MEMORY; ++ struct curl_slist *hdrs = NULL; ++ ++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { ++ curl_mfprintf(stderr, "curl_global_init() failed\n"); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ curl = curl_easy_init(); ++ if(!curl) { ++ curl_mfprintf(stderr, "curl_easy_init() failed\n"); ++ curl_global_cleanup(); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ hdrs = curl_slist_append(hdrs, "Host: victim.internal"); ++ if(hdrs) { ++ test_setopt(curl, CURLOPT_WRITEFUNCTION, sink2504); ++ test_setopt(curl, CURLOPT_COOKIEFILE, ""); ++ test_setopt(curl, CURLOPT_HTTPHEADER, hdrs); ++ test_setopt(curl, CURLOPT_URL, URL); ++ ++ result = curl_easy_perform(curl); ++ curl_mprintf("req1=%d\n", (int)result); ++ dump_cookies2504(curl, "after request 1"); ++ ++ test_setopt(curl, CURLOPT_HTTPHEADER, NULL); ++ test_setopt(curl, CURLOPT_URL, URL); ++ ++ result = curl_easy_perform(curl); ++ curl_mprintf("req2=%d\n", (int)result); ++ dump_cookies2504(curl, "after request 2"); ++ } ++test_cleanup: ++ curl_slist_free_all(hdrs); ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ ++ return result; ++} +-- +2.43.7 diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index cead7fe6d4..dc8060e480 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -38,6 +38,7 @@ SRC_URI = " \ file://CVE-2026-3784.patch \ file://CVE-2026-5545.patch \ file://CVE-2026-6253.patch \ + file://CVE-2026-6276.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Mon Jun 29 10:47:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91252 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0D71C43327 for ; Mon, 29 Jun 2026 10:48:22 +0000 (UTC) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.34946.1782730092814972720 for ; Mon, 29 Jun 2026 03:48:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=e/LkTyLz; spf=pass (domain: cisco.com, ip: 173.37.86.75, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=11391; q=dns/txt; s=iport01; t=1782730092; x=1783939692; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=kQhO2n8h3oB/KTfD/eK8RbOPlR80uS8CRdWx8k+JCZI=; b=e/LkTyLzYgi3P9us2HQMQVAuM3HoL8a6359TSlGTOSSG2rU1i5/j8Y6m NLzmiPsmM4V9mvTZ5Ibb/xYlLhAYHOz1A5FvZ3sdyCLi/QUTLmAaZ4aOZ 4JG24ng5VLC785pBziXGtm4UbDyyDLtqf8HP6DlkIaNJ+skL+/KtWmMTD BjgsxOqFQ6zja2k3ABP+W1VvQX4jIgCJmvppKR8uxQG3yCZQaPwpRCLcp G7+iX42nvz+M8EDDkZiF88aUMPGNL2pCPnVnxk/+t3HIL2RqVAVYMP7Zd mov8psFfKQW3SaF8IVoNFl8PGEw9q4yby8fogkI2YBSHZlRB3cijbepIA w==; X-CSE-ConnectionGUID: qB67W6mnR5a4mvvAwkpcgQ== X-CSE-MsgGUID: GMpykGP6Ra+/ShzmgfAo5A== X-IPAS-Result: A0AnAABFTEJq/5P/Ja1aHQEBAQEJARIBBQUBgXwIAQsBglZ0X0JJjHOJWAOeGxSBag8BAQEPRA0EAQGBcQEggnQCjUsCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYARsSEBwDAQIXAQEWKyMIEAmDAgGCcwIBEQa2D4F5M4EBgygBMQUJAgJAAVDbLAELFAEFgTMBhT6IH1sYAYR8JxsbgXKBFYNpgQWBXAEBAYEiJWACBoV1BIIigQyBWh6BeieBYYsPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BaYEEhH0jHwM5f4EwdVhmFTA1gQIBER4KgVInAwsYDUgRLDcUGwQ+bgeMXhcPgj0xLwEhDAETFgEBL1Z9OymSdAkBB5AWgiGBNZ9aCiiDdYwhjg2HLRozqmyZCI4KlWhohGiBaDyBRwsHcBWDIgkWNBkPji0LC4NggX+EQcIQJDUCCTIBAQcCBw4DC4FokAIkgVcBAQ IronPort-Data: A9a23:pjMxC624Y7WHY2WIfvbD5YJwkn2cJEfYwER7XKvMYLTBsI5bpzFVz 2AfX22EPq7Ya2D2fNtxYIW3px4D7cXXx9JkHgc53Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX5 bsen+WFYAX7g2AuYjpOg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGFWtoYrJG/+BNXGgS8 OIGAS8OdhuMvrfjqF67YrEEasULNsLnOsYb/3pn1zycVK5gSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNUifC/FMEg9/5JYWleuvgHb2aTBwo1OOrq1x6G/WpOB0+OW1aoKEIoHXGa25mG63g 3rX/EvBXCsTd5ukySiA/XyFgbLmyHaTtIU6UefQGuRRqFqLy2oeDRcbWVe2rbyyjVSzc9ZeM FAPvC02oK4/8UamQtXwU1u/unHsg/IHc8BbH+t/7ESGzbDZpl/BQGMFVTVGLtchsafaWAAX6 7NApPuxbRQHjVFfYSv1Gmu8xd9qBRUoEA== IronPort-HdrOrdr: A9a23:kLatzqxKRils7EtXxvy/KrPw9L1zdoMgy1knxilNoNJuHfBw8P re+8jzuiWUtN98YhwdcJW7Scu9qBDnhPpICOsqXYtKNTOO0ADDEGgh1/qG/9SKIUPDH4BmuZ uIWpIObuEYdWIK7vrS0U2fD8sqxsWB/eSDgOfTyGoocCRRApsQljuQzm2gYzZLrM4sP+tAKK ah X-Talos-CUID: 9a23:2oQyMGMD4pnDPu5DQQM5q3FKH8YfL3SByWnOClC7EW1mcejA X-Talos-MUID: 9a23:uWLGEgkZs2K1SvxuKHRXdnpNEd954IuWVnoE0tI9u9uBOiJZPGq02WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="502090554" Received: from rcdn-l-core-10.cisco.com ([173.37.255.147]) by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 10:48:11 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-10.cisco.com (Postfix) with ESMTPS id AD89818000A71; Mon, 29 Jun 2026 10:48:11 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id 57B97CC124A; Mon, 29 Jun 2026 03:48:11 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 6/7] curl: fix CVE-2026-6429 Date: Mon, 29 Jun 2026 03:47:56 -0700 Message-ID: <20260629104801.972184-6-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629104801.972184-1-adongare@cisco.com> References: <20260629104801.972184-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-10.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 10:48:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239750 From: Anil Dongare Backport the upstream fix [1] for the netrc credential leak on redirect described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306 [2] https://curl.se/docs/CVE-2026-6429.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-6429.patch | 346 ++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 347 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch new file mode 100644 index 0000000000..0953345d92 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch @@ -0,0 +1,346 @@ +From 929cc46864c5f047727a898f361d9bac86e73471 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 5 Jun 2026 01:20:50 -0700 +Subject: [PATCH] http: clear credentials better on redirect + +Verify with test 2506: netrc with redirect using proxy + +Updated test 998 which was wrong. + +Reported-by: Muhamad Arga Reksapati + +Closes #21345 + +CVE: CVE-2026-6429 +Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306] + +Backport Changes: +- curl-8.7.1 carries redirect handling in lib/transfer.c via Curl_follow(), + so the same-origin credential clearing logic was adapted there. +- curl-8.7.1 uses tests/data/Makefile.inc and tests/libtest/Makefile.inc + instead of the upstream Automake lists. +- test998 is not updated in this backport because the older 8.7.1 test data + does not carry the upstream drift that motivated that hunk. + +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306) +Signed-off-by: Anil Dongare +--- + lib/transfer.c | 103 +++++++++++++++++++++---------------- + tests/data/Makefile.inc | 2 +- + tests/data/test2506 | 64 +++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +- + tests/libtest/lib2506.c | 71 +++++++++++++++++++++++++ + 5 files changed, 198 insertions(+), 47 deletions(-) + create mode 100644 tests/data/test2506 + create mode 100644 tests/libtest/lib2506.c + +diff --git a/lib/transfer.c b/lib/transfer.c +index a734629..0f5bd8c 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -865,49 +865,62 @@ CURLcode Curl_follow(struct Curl_easy *data, + if(uc) + return Curl_uc_to_curlcode(uc); + +- /* Clear auth if this redirects to a different port number or protocol, +- unless permitted */ +- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { +- char *portnum; +- int port; +- bool clear = FALSE; +- +- if(data->set.use_port && data->state.allow_port) +- /* a custom port is used */ +- port = (int)data->set.use_port; +- else { +- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, +- CURLU_DEFAULT_PORT); +- if(uc) { +- free(newurl); +- return Curl_uc_to_curlcode(uc); +- } +- port = atoi(portnum); +- free(portnum); +- } +- if(port != data->info.conn_remote_port) { +- infof(data, "Clear auth, redirects to port from %u to %u", +- data->info.conn_remote_port, port); +- clear = TRUE; ++ if(type != FOLLOW_FAKE) { ++ bool same_origin; ++ CURLU *u; ++ char *oldscheme = NULL; ++ char *oldhost = NULL; ++ char *oldport = NULL; ++ char *newscheme = NULL; ++ char *newhost = NULL; ++ char *newport = NULL; ++ ++ u = curl_url(); ++ if(!u) { ++ free(newurl); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- char *scheme; +- const struct Curl_handler *p; +- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); +- if(uc) { +- free(newurl); +- return Curl_uc_to_curlcode(uc); +- } + +- p = Curl_get_scheme_handler(scheme); +- if(p && (p->protocol != data->info.conn_protocol)) { +- infof(data, "Clear auth, redirects scheme from %s to %s", +- data->info.conn_scheme, scheme); +- clear = TRUE; +- } +- free(scheme); ++ uc = curl_url_set(u, CURLUPART_URL, data->state.url, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT); ++ if(!uc) ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0); ++ if(!uc) ++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0); ++ if(!uc) ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ curl_url_cleanup(u); ++ free(oldscheme); ++ free(oldhost); ++ free(oldport); ++ free(newscheme); ++ free(newhost); ++ free(newport); ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); + } +- if(clear) { ++ ++ same_origin = strcasecompare(oldscheme, newscheme) && ++ strcasecompare(oldhost, newhost) && ++ !strcmp(oldport, newport); ++ ++ curl_url_cleanup(u); ++ free(oldscheme); ++ free(oldhost); ++ free(oldport); ++ free(newscheme); ++ free(newhost); ++ free(newport); ++ ++ if((!same_origin && !data->set.allow_auth_to_other_hosts) || ++ !data->set.str[STRING_USERNAME]) { + result = Curl_reset_userpwd(data); + if(result) { + free(newurl); +@@ -917,12 +930,12 @@ CURLcode Curl_follow(struct Curl_easy *data, + Curl_safefree(data->state.aptr.passwd); + } + } +- } + +- result = Curl_reset_proxypwd(data); +- if(result) { +- free(newurl); +- return result; ++ result = Curl_reset_proxypwd(data); ++ if(result) { ++ free(newurl); ++ return result; ++ } + } + + if(type == FOLLOW_FAKE) { +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 9278dac..136b961 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -251,7 +251,7 @@ test2300 test2301 test2302 test2303 test2304 test2305 test2306 test2307 \ + \ + test2400 test2401 test2402 test2403 test2404 \ + \ +-test2500 test2501 test2502 test2503 test2504 \ ++test2500 test2501 test2502 test2503 test2504 test2506 \ + \ + test2600 test2601 test2602 test2603 \ + \ +diff --git a/tests/data/test2506 b/tests/data/test2506 +new file mode 100644 +index 0000000..9c65002 +--- /dev/null ++++ b/tests/data/test2506 +@@ -0,0 +1,64 @@ ++ ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 3 ++Location: http://numbertwo.example/%TESTNUMBER0002 ++ ++ok ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 4 ++ ++yes ++ ++ ++ ++ ++ ++http ++ ++ ++proxy ++ ++ ++lib%TESTNUMBER ++ ++ ++netrc with redirect using proxy ++ ++ ++machine site.example login batman password robin ++ ++ ++http://%HOSTIP:%HTTPPORT http://site.example/ %LOGDIR/netrc2506 ++ ++ ++ ++ ++ ++GET http://site.example/ HTTP/1.1 ++Host: site.example ++Authorization: Basic %b64[batman:robin]b64% ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://numbertwo.example/25060002 HTTP/1.1 ++Host: numbertwo.example ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 4653d12..0f140eb 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -75,7 +75,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect libprereq \ + lib1970 lib1971 lib1972 lib1973 lib1974 lib1975 \ + lib2301 lib2302 lib2304 lib2305 lib2306 \ + lib2402 lib2404 \ +- lib2502 lib2504 \ ++ lib2502 lib2504 lib2506 \ + lib3010 lib3025 lib3026 lib3027 \ + lib3100 lib3101 lib3102 lib3103 + +@@ -687,6 +687,9 @@ lib2502_LDADD = $(TESTUTIL_LIBS) + lib2504_SOURCES = lib2504.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib2504_LDADD = $(TESTUTIL_LIBS) + ++lib2506_SOURCES = lib2506.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib2506_LDADD = $(TESTUTIL_LIBS) ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + +diff --git a/tests/libtest/lib2506.c b/tests/libtest/lib2506.c +new file mode 100644 +index 0000000..8b3b342 +--- /dev/null ++++ b/tests/libtest/lib2506.c +@@ -0,0 +1,71 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Linus Nielsen Feltzing ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++#include "first.h" ++ ++#include "testtrace.h" ++ ++static size_t sink2506(char *ptr, size_t size, size_t nmemb, void *ud) ++{ ++ (void)ptr; ++ (void)ud; ++ return size * nmemb; ++} ++ ++static CURLcode test_lib2506(const char *URL) ++{ ++ CURL *curl; ++ CURLcode result = CURLE_OUT_OF_MEMORY; ++ ++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { ++ curl_mfprintf(stderr, "curl_global_init() failed\n"); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ curl = curl_easy_init(); ++ if(!curl) { ++ curl_mfprintf(stderr, "curl_easy_init() failed\n"); ++ curl_global_cleanup(); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ test_setopt(curl, CURLOPT_WRITEFUNCTION, sink2506); ++ test_setopt(curl, CURLOPT_PROXY, URL); ++ test_setopt(curl, CURLOPT_URL, libtest_arg2); ++ test_setopt(curl, CURLOPT_NETRC, CURL_NETRC_OPTIONAL); ++ test_setopt(curl, CURLOPT_NETRC_FILE, libtest_arg3); ++ test_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); ++ test_setopt(curl, CURLOPT_VERBOSE, 1L); ++ ++ /* CURLOPT_UNRESTRICTED_AUTH should not make a difference because the ++ credentials come from netrc */ ++ test_setopt(curl, CURLOPT_UNRESTRICTED_AUTH, 1L); ++ ++ result = curl_easy_perform(curl); ++ ++test_cleanup: ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ ++ return result; ++} +-- +2.43.7 diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index dc8060e480..c338a532f9 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -39,6 +39,7 @@ SRC_URI = " \ file://CVE-2026-5545.patch \ file://CVE-2026-6253.patch \ file://CVE-2026-6276.patch \ + file://CVE-2026-6429.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Mon Jun 29 10:47:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91248 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D389EC43602 for ; Mon, 29 Jun 2026 10:48:22 +0000 (UTC) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.34945.1782730092615112411 for ; Mon, 29 Jun 2026 03:48:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=ASt7JIeF; spf=pass (domain: cisco.com, ip: 173.37.86.72, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=13154; q=dns/txt; s=iport01; t=1782730092; x=1783939692; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=7zQom62drWAWsHbbsI93zUUjCi3iNWfmeFNy0Zq9qhY=; b=ASt7JIeFePv2TvQ58XWJvo/T+o7cLgypgM3VUWKIIATr3+wYZNFLa+HC XE0lfqBgoCRDSA3YAEIamN3NxgbcjscUjnb+/XTT9ggV8ncTjLsAExVSC mivx8+medLVnTzfUgx9e7lI0y8vz/fDkwx/V3+EhyOvPvuj17Mug444KW pIcnUEu94Gb2Fli9Ql8jJWVlncVkdJxxe0rh1WxvH0RGLm4I/11wfW0G9 J3iza8yfu4RHprpsYsKmA+Z+kPgKm0LSahtKwxgX74xJ/7CHR71WMpNYM t0qxVyXpPfzj/CVvJxAP0AP/6cqPO5l4XfSGxh0oyhGKqPEyh7LBdzS1I w==; X-CSE-ConnectionGUID: RCBODbxNRn2XtFPpDP+RuQ== X-CSE-MsgGUID: 7Oc1xJBgS/+JP9VfWhEUaQ== X-IPAS-Result: A0AaAABFTEJq/5H/Ja1aHAEBAQEBAQcBARIBAQQEAQGBfAcBAQsBglZ0X0JJjHOIbGwDnhsUgWoPAQEBD0QNBAEBgXEBIIJ0Ao1LAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDJwsBGAEtEBwDAQIZFisjCBmDAgGCcwIBEQa2D4F5M4EBgygBMQUJAgJAAVDbLAELFAEFgTMBhT6IH1sYAYNdgR8nGxuBcoEVg2mBBYFcAQEBAYEhAyJohXUEgiKBDIFaHoF6J4Fhiw9IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFpgQSEfSMfAzl/gTB1WGYVMDWBAgERHgqBUicDCxgNSBEsNxQbBD5uB4xeFw+CBTEGATEvASECAQkBKQEBBCtWfQI5DB2SdJAngiGBNZ9aCiiDdYwhlToaM4VbpRGZCI4KlWgYUIRogWg8gUcLB3AVgyIJCQ00GQ+OLQsLg2CBf4JRgXDCECQ1AgkyAQEHAgcOAwuBaJAmgVcBAQ IronPort-Data: A9a23:syyuIqyTdssCWkzbkqZ6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkUCy jMWC2uOPP2NMDT2cogkb4znoU4F7ZXdmNRnHQc/+1hgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 4+aT/H3Ygf/hWYqaDJMscpvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJHsdF6o08PZRO2cUx eA2ECghVlO5mtvjldpXSsE07igiBNPgMIVavjRryivUSK52B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cPnWjOX9PYH46tO6kgX/weidVgFmUvqEwpWPUyWSd1ZCwaIOLJoPXH5w9ckCw+ UXNpnTbKB4hc5+98Wu7/E2sq9LGpHauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBVi4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rHnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:IZsahaOJTZHmOMBcThmjsMiBIKoaSvp037Dk7S9MoHtuA6ulfq +V/cjzuSWYtN9VYgBDpTniAtjlfZq/z/5ICOAqVN/INjUO+lHYSb2KhrGN/9SPIUHDH8dmpM FdmtBFeb7NJGk/q9rm6w+lFNtl6tyG/Ke0wdr69R5WPHhXg2UK1XYDNu5deXcGPDV7OQ== X-Talos-CUID: 9a23:Wnsg225vJZ33UCDzENsszmU+PewvYlvnyi3gP2GAEUpRC4eIcArF X-Talos-MUID: 9a23:kzAieAoZ/wgzteRzftQez25FP554wY6hMwdOs61Xhce7NQFNMg7I2Q== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="501647521" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by rcdn-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 10:48:12 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id 0E0AF1800058B; Mon, 29 Jun 2026 10:48:12 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id 5B185CC124B; Mon, 29 Jun 2026 03:48:11 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 7/7] curl: fix CVE-2026-7168 Date: Mon, 29 Jun 2026 03:47:57 -0700 Message-ID: <20260629104801.972184-7-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629104801.972184-1-adongare@cisco.com> References: <20260629104801.972184-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 10:48:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239751 From: Anil Dongare Backport the upstream fix [1] for proxy Digest state reuse across proxy switches described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507 [2] https://curl.se/docs/CVE-2026-7168.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-7168 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-7168.patch | 389 ++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 390 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-7168.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-7168.patch b/meta/recipes-support/curl/curl/CVE-2026-7168.patch new file mode 100644 index 0000000000..b3fd04a5c8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-7168.patch @@ -0,0 +1,389 @@ +From 955e8ba9821afde4a7ac22caef794dfffe5b4b5f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 5 Jun 2026 01:22:37 -0700 +Subject: [PATCH] setopt: clear proxy auth properties when switching + +Verify with test 1588 + +Closes #21453 + +CVE: CVE-2026-7168 +Upstream-Status: Backport [https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507] + +Backport Changes: +- curl-8.7.1 does not expose Curl_auth_digest_cleanup() to setopt.c in the + same way as the newer upstream tree. This backport therefore adds the + vauth/vauth.h include and the CURL_DISABLE_DIGEST_AUTH fallback macro in + lib/vauth/vauth.h before reusing the upstream setproxy() cleanup logic. +- curl-8.7.1 uses tests/data/Makefile.inc and tests/libtest/Makefile.inc + instead of the upstream Automake lists. + +(cherry picked from commit c1cfdf59acbaf9504c4578d4cf56cdd7c8594507) +Signed-off-by: Anil Dongare +--- + lib/setopt.c | 17 ++++- + lib/vauth/vauth.h | 2 + + tests/data/Makefile.inc | 1 + + tests/data/test1588 | 105 ++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +- + tests/libtest/lib1588.c | 147 +++++++++++++++++++++++++++++++++++++ + 6 files changed, 274 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test1588 + create mode 100644 tests/libtest/lib1588.c + +diff --git a/lib/setopt.c b/lib/setopt.c +index 8a5a5d7..3de3047 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -51,6 +51,7 @@ + #include "altsvc.h" + #include "hsts.h" + #include "tftp.h" ++#include "vauth/vauth.h" + #include "strdup.h" + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -76,6 +77,19 @@ CURLcode Curl_setstropt(char **charp, const char *s) + return CURLE_OK; + } + ++#ifndef CURL_DISABLE_PROXY ++static CURLcode setproxy(struct Curl_easy *data, const char *proxy) ++{ ++ if((data->set.str[STRING_PROXY] && proxy) && ++ !strcmp(data->set.str[STRING_PROXY], proxy)) ++ return CURLE_OK; ++ ++ Curl_auth_digest_cleanup(&data->state.proxydigest); ++ memset(&data->state.authproxy, 0, sizeof(data->state.authproxy)); ++ return Curl_setstropt(&data->set.str[STRING_PROXY], proxy); ++} ++#endif ++ + CURLcode Curl_setblobopt(struct curl_blob **blobp, + const struct curl_blob *blob) + { +@@ -1139,8 +1153,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * Setting it to NULL, means no proxy but allows the environment variables + * to decide for us (if CURLOPT_SOCKS_PROXY setting it to NULL). + */ +- result = Curl_setstropt(&data->set.str[STRING_PROXY], +- va_arg(param, char *)); ++ result = setproxy(data, va_arg(param, char *)); + break; + + case CURLOPT_PRE_PROXY: +diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h +index 9da0540..bf5c7a3 100644 +--- a/lib/vauth/vauth.h ++++ b/lib/vauth/vauth.h +@@ -119,6 +119,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, + + /* This is used to clean up the digest specific data */ + void Curl_auth_digest_cleanup(struct digestdata *digest); ++#else ++#define Curl_auth_digest_cleanup(x) + #endif /* !CURL_DISABLE_DIGEST_AUTH */ + + #ifdef USE_GSASL +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 136b961..aff6a01 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -200,6 +200,7 @@ test1540 test1541 test1542 test1543 test1544 test1545 \ + test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \ + test1558 test1559 test1560 test1561 test1562 test1563 test1564 test1565 \ + test1566 test1567 test1568 test1569 test1570 \ ++test1588 \ + \ + test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 \ + test1598 \ +diff --git a/tests/data/test1588 b/tests/data/test1588 +new file mode 100644 +index 0000000..0199fa8 +--- /dev/null ++++ b/tests/data/test1588 +@@ -0,0 +1,105 @@ ++ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP proxy ++HTTP proxy Digest auth ++multi ++ ++ ++ ++# Server-side ++ ++ ++# this is returned first since we get no proxy-auth ++ ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++And you should ignore this data. ++ ++ ++# then this is returned when we get proxy-auth ++ ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++ ++ ++ ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++lib%TESTNUMBER ++ ++ ++!SSPI ++crypto ++proxy ++digest ++ ++ ++HTTP proxy auth Digest, then change proxy and do it again ++ ++ ++http://test.remote.example.com/path/%TESTNUMBER %HOSTIP %HTTPPORT silly:person custom.set.host.name ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a" ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a" ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 0f140eb..21f3c44 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -62,7 +62,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect libprereq \ + lib1540 lib1541 lib1542 lib1543 lib1545 \ + lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \ + lib1558 lib1559 lib1560 lib1564 lib1565 lib1567 lib1568 lib1569 \ +- lib1591 lib1592 lib1593 lib1594 lib1596 lib1597 lib1598 \ ++ lib1588 lib1591 lib1592 lib1593 lib1594 lib1596 lib1597 lib1598 \ + \ + lib1662 \ + \ +@@ -690,6 +690,9 @@ lib2504_LDADD = $(TESTUTIL_LIBS) + lib2506_SOURCES = lib2506.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib2506_LDADD = $(TESTUTIL_LIBS) + ++lib1588_SOURCES = lib1588.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1588_LDADD = $(TESTUTIL_LIBS) ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + +diff --git a/tests/libtest/lib1588.c b/tests/libtest/lib1588.c +new file mode 100644 +index 0000000..46d6a83 +--- /dev/null ++++ b/tests/libtest/lib1588.c +@@ -0,0 +1,147 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++/* ++ * argv1 = URL ++ * argv2 = proxy host ++ * argv3 = proxy port ++ * argv4 = proxyuser:password ++ */ ++ ++#include "first.h" ++ ++static CURLcode init1588(CURL *curl, const char *url, ++ const char *userpwd, const char *proxy) ++{ ++ CURLcode result = CURLE_OK; ++ ++ res_easy_setopt(curl, CURLOPT_URL, url); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXY, proxy); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXYUSERPWD, userpwd); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_VERBOSE, 1L); ++ if(result) ++ goto init_failed; ++#if 0 ++ res_easy_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L); ++ if(result) ++ goto init_failed; ++#endif ++ ++ res_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ if(result) ++ goto init_failed; ++ ++ return CURLE_OK; /* success */ ++ ++init_failed: ++ return result; /* failure */ ++} ++ ++static CURLcode run1588(CURL *curl, const char *url, const char *userpwd, ++ const char *proxy) ++{ ++ CURLcode result = CURLE_OK; ++ ++ result = init1588(curl, url, userpwd, proxy); ++ if(result) ++ return result; ++ ++ return curl_easy_perform(curl); ++} ++ ++static CURLcode test_lib1588(const char *URL) ++{ ++ CURLcode result = CURLE_OK; ++ CURL *curl = NULL; ++ const char *proxyuserpws = libtest_arg4; ++ struct curl_slist *host = NULL; ++ struct curl_slist *host2 = NULL; ++ char proxy1_resolve[128]; ++ char proxy2_resolve[128]; ++ char proxy1_connect[128]; ++ char proxy2_connect[128]; ++ ++ if(test_argc < 3) ++ return TEST_ERR_MAJOR_BAD; ++ ++ curl_msnprintf(proxy1_resolve, sizeof(proxy1_resolve), ++ "firstproxy:%s:%s", libtest_arg3, libtest_arg2); ++ curl_msnprintf(proxy2_resolve, sizeof(proxy2_resolve), ++ "secondproxy:%s:%s", libtest_arg3, libtest_arg2); ++ ++ /* we connect to the fake host name but the right port number */ ++ curl_msnprintf(proxy1_connect, sizeof(proxy1_connect), ++ "firstproxy:%s", libtest_arg3); ++ curl_msnprintf(proxy2_connect, sizeof(proxy2_connect), ++ "secondproxy:%s", libtest_arg3); ++ ++ res_global_init(CURL_GLOBAL_ALL); ++ if(result) ++ return result; ++ ++ curl = curl_easy_init(); ++ if(!curl) { ++ curl_mfprintf(stderr, "curl_easy_init() failed\n"); ++ curl_global_cleanup(); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ host = curl_slist_append(NULL, proxy1_resolve); ++ if(!host) ++ goto test_cleanup; ++ host2 = curl_slist_append(host, proxy2_resolve); ++ if(!host2) ++ goto test_cleanup; ++ host = host2; ++ ++ start_test_timing(); ++ ++ easy_setopt(curl, CURLOPT_RESOLVE, host); ++ ++ result = run1588(curl, URL, proxyuserpws, proxy1_connect); ++ if(result) ++ goto test_cleanup; ++ ++ curl_mfprintf(stderr, "lib1588: now we do the request again\n"); ++ ++ result = run1588(curl, URL, proxyuserpws, proxy2_connect); ++ ++test_cleanup: ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ curl_slist_free_all(host); ++ return result; ++} +-- +2.43.7 diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index c338a532f9..c2c2b6bfc6 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -40,6 +40,7 @@ SRC_URI = " \ file://CVE-2026-6253.patch \ file://CVE-2026-6276.patch \ file://CVE-2026-6429.patch \ + file://CVE-2026-7168.patch \ " SRC_URI:append:class-nativesdk = " \