From patchwork Mon Jun 29 13:14:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91277 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A385C44500 for ; Mon, 29 Jun 2026 13:15:05 +0000 (UTC) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.37291.1782738901069608698 for ; Mon, 29 Jun 2026 06:15:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=H50Hj28r; spf=pass (domain: cisco.com, ip: 173.37.86.73, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1568; q=dns/txt; s=iport01; t=1782738901; x=1783948501; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=4x0vvS5Z5zcvZHZjWj8lAzBx+MgdX/iRNDcHlTDkS38=; b=H50Hj28rQ7KebLe5SDNaGGq8zAMAe90Yrxy3YbgCBqWaPYkUBjTMOgTK sUrBKLwCybAh6U/GC9U0H3rnX1k4DU5QD4pl/Lhj8WxGN+OirpUjvJWs8 Z+VfjCmyZOCMwfaBAdebsiK/5NTdm/2YipNUHqLiXLbz5b4R8kHnVMTeg d3NWE/hgv7O72EzHoO+QYUlV9viQr53sGRbRo4mVyC+Ik/mCB6bIYvo5n NscUGcaMnZtlGMy4MiLt6uCU60gP1IKSuma/l5UhfEphvG6Dpi3/cXB6z HVYauptGKGBuypLg7xg47MHl2FYU9p+1xEi66dfEIogxM+oxtXFOFyegO A==; X-CSE-ConnectionGUID: yz7ujXjfRH2f1Lrp+HjqEg== X-CSE-MsgGUID: siVsF6o5QoqxRbv7PCuT1w== X-IPAS-Result: A0BBAgCnbkJq/5T/Ja1aHgEBCxIMggULgld0X0JJlkueHoF+DwEBAQ89FAQBAYUGjU0CJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GXTYBGAEtMFw7CYMCAYJzAgERBrZ0giyBAYMoATEFCQICQAFQ2ywBCxQBBYEzhT+IH3MBgkmCMycbG4FygRWDaYEFgVwBAoIshXgEgiJ6EoF4UIErjRZIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFpgQSEfSMfAzl/gTB1WGYVMDWBAgERHgqBUicDCxgNSBEsNxQbBD5uB4xeFw+CPRBKBy0qAgSBaBgzBqVloQ8KKIN1jCGVOhozqmyZCI4KllCEaIFoPDmBDgsHcBWDIgkWNBkPjjiFaoRBwU0kNQI7AQEHAgcOAwuBaJF9AQE IronPort-Data: A9a23:mIMi06qOmx5gVZcXKMG/YJzBijpeBmJJZBIvgKrLsJaIsI4StFCzt garIBnTO6zeZmTxKt0la97n8UNXuJTdztcySFRupSFjE3lEoOPIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgPNNwJcaDpOtfrd8kI35ZwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0vdlXnxMx f4WEhBXYEmnnfr14LCiZ+Y506zPLOGzVG8ekmtrwTecCbMtRorOBvyTo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LWPrSn8/w7pX7WzRUr1SarLA6y2PS1wd2lrPqNbI5f/TWFZoFwxvJ9 ziuE2LRGRAkL/LBzme89Wu8vOXRwhvQRb5LC+jtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aI EsO9wIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sYMZottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvrUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:pYxkZq/1y2Ws8XgzyRBuk+D0I+orL9Y04lQ7vn2ZhyY7TiX+rb HKoB11737JYVoqNU3I+urwWpVoI0m9yXcd2+B4Vt2ftWLd1ldAQrsP0WLK+UyFJ8SHzJ8/6Y 5QN45jFdb3EV92yez+4AW+DpIc5ePvytHOuQ8bpE0dND2DrMpbnmFENjo= X-Talos-CUID: 9a23:Ve2QK26SkHA07y+Ahdss5VxLB8IVcHPn7C3eemuiESVJSqS4RgrF X-Talos-MUID: 9a23:9goHaQ6MfpIXqCpYMSyzVOFNxoxz4pq1Jh4KzKwBotm+PzIvAxyAsG2oF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,232,1774310400"; d="scan'208";a="487855992" Received: from rcdn-l-core-11.cisco.com ([173.37.255.148]) by rcdn-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 13:15:00 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-11.cisco.com (Postfix) with ESMTPS id 0D78518000147; Mon, 29 Jun 2026 13:15:00 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id AA9A6CC12A6; Mon, 29 Jun 2026 06:14:59 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Date: Mon, 29 Jun 2026 06:14:45 -0700 Message-ID: <20260629131453.1077612-1-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-11.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 13:15:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239777 From: Anil Dongare - CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required transfer. - In wrynose, these protocols are optional PACKAGECONFIG entries and are not enabled by default in curl_8.19.0.bb, so record this CVE as configuration-not-applicable for the default recipe configuration. Reference: - https://curl.se/docs/CVE-2026-4873.html - https://nvd.nist.gov/vuln/detail/CVE-2026-4873 Signed-off-by: Anil Dongare --- meta/recipes-support/curl/curl_8.19.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb index d58b774011..41e6888977 100644 --- a/meta/recipes-support/curl/curl_8.19.0.bb +++ b/meta/recipes-support/curl/curl_8.19.0.bb @@ -27,6 +27,7 @@ SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d33 # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack" +CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}" inherit autotools pkgconfig binconfig multilib_header ptest From patchwork Mon Jun 29 13:14:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91276 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C37BC44501 for ; Mon, 29 Jun 2026 13:15:05 +0000 (UTC) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.37292.1782738901088951273 for ; Mon, 29 Jun 2026 06:15:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=ePl3HQOv; spf=pass (domain: cisco.com, ip: 173.37.86.79, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2813; q=dns/txt; s=iport01; t=1782738901; x=1783948501; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=oPHSvCw2p1tIzQLbE6ek1wVv4wm0wwLhWRBbvbMZank=; b=ePl3HQOvVi+z673txQNwjB8TcCQJbU74EUCT3fMXW8FUt7z/AZuj10bD lXx1FeUAVOJEZOGM/S1q/faqsq6vSQYfH+Nju4iwlSiKQQT0HI0HsWlg7 0MUFq6mFz047glR3SvsSuQe998nkb8Y3LrnYcbxoUQ2cAXVq+TVsRV/OM PPjbSV91GiCidUcveiEiV8oJCJTnqT5EpCN6+i5rk1d87t5S16MKCfZh/ h6tT0P89/PqOgBs8Co88MQ540D205/FqDVIOiuJ2aJA6c0eL1MqnsUnoh v3zbmcWNiryIzoGiZpMoo6Iy6kw8z53d0xwa3JcXC9MNkh4a0jMxtpSqO Q==; X-CSE-ConnectionGUID: i8TLXh5STL6Y9KOfsRbgXw== X-CSE-MsgGUID: cQzFH/ZLQQSOBI5IwwGimQ== X-IPAS-Result: A0BHAgCnbkJq/5P/Ja1aHgEBCxIMggULgld0X0JJlksDnhuBfg8BAQEPRA0EAQGFBgKNSwImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAycLARgBLRAcAwECLysjCBmDAgGCcwIBEQa2dIF5M4EBgygBMQUJAgJAAVDbLAELFAEFgTOFP4gfWxgBhHwnGxuBcoEVg2mBBYFcAQEBgVBchXgEgiJ6EoFajy9IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFpgQSEfSMfAzl/gTB1WGYVMDWBAgERHgqBUicDCxgNSBEsNxQbBD5uB4xeFw+CPQFYCC0BKQIggh0FBqVaoQ8KKIN1jCGVOhozqmyZCI4KllCEaIFoPIFHCwdwFYMiCRY0GQ+OOINrgX+EQcFNJDUCCTIBAQcCBw4DC4FokAKBewEB IronPort-Data: A9a23:B6NdCKnj4sWLXBGwO9hvGtzo5gzQJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xJOC2GFP/uLZDamf91zPd61p0kAsMWBx9NnTQNkrXhmFVtH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaC4E/raf658SUUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k Y20+ZG31GONgWYubDpKsfPb8XuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FYxIxsJHATx1y dhGGWEuSR6Yvei58K3uH4GAhux7RCXqFJkUtnclyXTSCuwrBMmbBa7L/tRfmjw3g6iiH96HO JFfMmUpNkmdJUQTZT/7C7pm9AusrnDzdDtXoUiYjaE2+GPUigd21dABNfKJK4fUGpUOxRbwS mTu9F3rLDFdBvim8AGi2FPxp/DQsiL+YddHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7UNVFJ mQQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1dFnhKaccts4k9QjlCO kK1ou4FzAdH6NW9IU9xPJ/Nxd9uEUD59VM/WBI= IronPort-HdrOrdr: A9a23:D/0jyq69wr4tzo1d/APXwBDXdLJyesId70hD6qm+c3Nom6uj5q eTdZsgtCMc5Ax9ZJhko6HjBEDiewK5yXcW2+ks1N6ZNWGM0ldAbrsSiLcKqAePJ8SRzIJgPI 5bAs5D4aXLfDtHpPe/xhWkGNA9x9TC2qWpieDCi0pJd2hRGthdB8MTMHfhLqWwLzM2faYEKA == X-Talos-CUID: 9a23:IYo1pG0R5iFAuKxMRV0bFbxfG5AZVk3dkUzsBxGJWEVORqavQ1Cg5/Yx X-Talos-MUID: 9a23:Gu088AkJYdsBE9wXLgVcdnppDdVGw+OcLHk0qrIsmpSlKjNfOjKk2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,232,1774310400"; d="scan'208";a="493678338" Received: from rcdn-l-core-10.cisco.com ([173.37.255.147]) by rcdn-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 13:15:00 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-10.cisco.com (Postfix) with ESMTPS id 0F9581800088F; Mon, 29 Jun 2026 13:15:00 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id ACC07CC12A7; Mon, 29 Jun 2026 06:14:59 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Date: Mon, 29 Jun 2026 06:14:46 -0700 Message-ID: <20260629131453.1077612-2-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629131453.1077612-1-adongare@cisco.com> References: <20260629131453.1077612-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-10.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 13:15:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239778 From: Anil Dongare Backport the upstream fix [1] for the Negotiate-authenticated connection reuse issue described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd [2] https://curl.se/docs/CVE-2026-5545.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-5545 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-5545.patch | 46 +++++++++++++++++++ meta/recipes-support/curl/curl_8.19.0.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5545.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-5545.patch b/meta/recipes-support/curl/curl/CVE-2026-5545.patch new file mode 100644 index 0000000000..86a63c6738 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-5545.patch @@ -0,0 +1,46 @@ +From 33e43985b8f3b9e66691d06e70be0395849856cd Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 2 Apr 2026 11:33:39 +0200 +Subject: [PATCH] url: improve connection reuse on negotiate + +Check state of negotiate to allow proper connection reuse. + +Closes #21203 + +CVE: CVE-2026-5545 +Upstream-Status: Backport [https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd] + +(cherry picked from commit 33e43985b8f3b9e66691d06e70be0395849856cd) +Signed-off-by: Anil Dongare +--- + lib/url.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index b9e308a..7c24f1a 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1110,11 +1110,17 @@ static bool url_match_auth_ntlm(struct connectdata *conn, + if(m->want_ntlm_http) { + if(Curl_timestrcmp(m->needle->user, conn->user) || + Curl_timestrcmp(m->needle->passwd, conn->passwd)) { +- + /* we prefer a credential match, but this is at least a connection +- that can be reused and "upgraded" to NTLM */ +- if(conn->http_ntlm_state == NTLMSTATE_NONE) ++ that can be reused and "upgraded" to NTLM if it does ++ not have any auth ongoing. */ ++#ifdef USE_SPNEGO ++ if((conn->http_ntlm_state == NTLMSTATE_NONE) ++ && (conn->http_negotiate_state == GSS_AUTHNONE)) { ++#else ++ if(conn->http_ntlm_state == NTLMSTATE_NONE) { ++#endif + m->found = conn; ++ } + return FALSE; + } + } +-- +2.43.7 + diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb index 41e6888977..2b1bc40e37 100644 --- a/meta/recipes-support/curl/curl_8.19.0.bb +++ b/meta/recipes-support/curl/curl_8.19.0.bb @@ -15,6 +15,7 @@ SRC_URI = " \ file://disable-tests \ file://no-test-timeout.patch \ file://CVE-2026-6276.patch \ + file://CVE-2026-5545.patch \ file://mbedtls.patch \ " From patchwork Mon Jun 29 13:14:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8532AC44502 for ; Mon, 29 Jun 2026 13:15:05 +0000 (UTC) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.37290.1782738900973189256 for ; Mon, 29 Jun 2026 06:15:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=BXcvWKF7; spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1750; q=dns/txt; s=iport01; t=1782738901; x=1783948501; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=akFs9bPzu/WBATdi82RuTMfVfkQQUEKQwxkIT4drzZQ=; b=BXcvWKF7ZillQg8kc23nR7G+tSTQSIotP24GFRmvO1j97LsLKzy9UTOx bp6rnJxPZuczRwd8rW/cMw7hLKepjLKS/+KcYUVCtKsdHsAjSQk+EFH9X Argw6aqJrkLiHr4+qvb/p7Yb0HbW8IsYayaH1bOBFy1fc7/68Z13w/4il KZibo8fcHlnhI+SqRxoKvJvozvDl8ZqP/OPWHiElKv6Q65rgJhG8H+lbU S8wfuK09+xjbLGmzluu0ayBbm8A1y6lt7Kbpg/Wfprh7P1/WY9KhCSrmy zvKcIzB+kbKwwSYSAJkLhe4+gt3qNMhFuu4SzfTtalpQnr72Pq/6I7bSI g==; X-CSE-ConnectionGUID: dOEtBvXrQgSxDTVLfOTywg== X-CSE-MsgGUID: bJD5AYBzQ/CBug4BGipbww== X-IPAS-Result: A0BEAgAqb0Jq/5P/Ja1aHgEBCxIMggULgld0X0JJlksDnhuBfg8BAQEPRA0EAQGFBgKNSwImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZbAgEDMgEYAS0QIDErKxmDAgGCcwIBEQa2coIsgQGDKAExBQkCAkABUNssAQsUAQWBM4U/iB9zAYJJgjMnGxuBcoR+gQWBXAEBAYIshXgEgiJ6EoF4gXuNFkiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgWmBBIR9Ix8DOX+BMHVYZhUwNYECAREeCoFSJwMLGA1IESw3FBsEPm4HjF4XD4I9EEoHLSoCBIFoSwalZaEPCiiDdYwhlToaM6psmQiOCpZQhGiBaDw5gQ4LB3AVgyIJFjQZD444g2uBf4RBwU0kNQIBOgEBBwIHDgMLgWiRfQEB IronPort-Data: A9a23:F/wE9KulrutloekVR0KCCxd/g+fnVAdfMUV32f8akzHdYApBsoF/q tZmKW7UOq2CNjDxKtFyaI/l9UhTv5WAmNNgTQpurCs2HiJAgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFZDdJ5xYuajhKs/zZ+Us21BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw9sFaHUtQx eYhJwsdQiy9o+yR/KOkRbw57igjBJGD0II3oHpsy3TdSP0hW52GGv2M7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtIYH49tL/Aan3XejFfrl2cv6cf6GnIxws327/oWDbQUoHSH5gLwh/E9 woq+UzzID1HHe212wPC2VixibPlsiLjUp0NQejQGvlCxQf7KnYoIBoOWF22pPO0hkKzV5dUL FYZ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2cZLtcnr8QxAzct0 zdlgu/UONCmi5XNIVr1y1tehWra1fQ9RYPaWRI5cA== IronPort-HdrOrdr: A9a23:Xw+BcKy9iVZ1/Fi3O8LTKrPw9L1zdoMgy1knxilNoNJuHfBw8P re+8jzuiWUtN98YhwdcJW7Scu9qBDnhPpICOsqXYtKNTOO0ADDEGgh1/qG/9SKIUPDH4BmuZ uIWpIObuEYdWIK7vrS0U2fD8sqxsWB/eSDgOfTyGoocCRRApsQljuQzm2gYzZLrM4sP+tAKK ah X-Talos-CUID: 9a23:a4gslmy2nXMy9xMhwfBRBgUYPe05WGPt1k7fGF+UNVhNRpqpWECfrfY= X-Talos-MUID: 9a23:oilVJwazxeJmoeBTvR3A2RhTHtVRpI+EFU9Ru7oHo8ObKnkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,232,1774310400"; d="scan'208";a="502564149" Received: from rcdn-l-core-10.cisco.com ([173.37.255.147]) by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 13:15:00 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-10.cisco.com (Postfix) with ESMTPS id 120A6180008B5; Mon, 29 Jun 2026 13:15:00 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id AF247CC12A8; Mon, 29 Jun 2026 06:14:59 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Date: Mon, 29 Jun 2026 06:14:47 -0700 Message-ID: <20260629131453.1077612-3-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629131453.1077612-1-adongare@cisco.com> References: <20260629131453.1077612-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-10.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 13:15:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239776 From: Anil Dongare - CVE-2026-5773 affects curl before 8.20.0 when an authenticated SMB connection can be reused for a different set of credentials. - In wrynose, SMB support is available only through PACKAGECONFIG[smb] and is not enabled by default, so record this CVE as configuration-not-applicable for the default recipe configuration. Reference: - https://curl.se/docs/CVE-2026-5773.html - https://nvd.nist.gov/vuln/detail/CVE-2026-5773 - https://github.com/openembedded/openembedded-core/blob/wrynose/meta/recipes-support/curl/curl_8.19.0.bb Signed-off-by: Anil Dongare --- meta/recipes-support/curl/curl_8.19.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb index 2b1bc40e37..5580791ec8 100644 --- a/meta/recipes-support/curl/curl_8.19.0.bb +++ b/meta/recipes-support/curl/curl_8.19.0.bb @@ -29,6 +29,7 @@ SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d33 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack" CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}" +CVE_STATUS[CVE-2026-5773] = "${@bb.utils.contains('PACKAGECONFIG', 'smb', 'unpatched', 'not-applicable-config: smb support is not enabled in PACKAGECONFIG', d)}" inherit autotools pkgconfig binconfig multilib_header ptest From patchwork Mon Jun 29 13:14:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91274 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0626C43327 for ; Mon, 29 Jun 2026 13:15:04 +0000 (UTC) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.37291.1782738901069608698 for ; Mon, 29 Jun 2026 06:15:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=accCMa6f; spf=pass (domain: cisco.com, ip: 173.37.86.73, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=11572; q=dns/txt; s=iport01; t=1782738901; x=1783948501; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=yskv/rVZGF8WK4YZgeu/Ud0NdxOBUSzlux7+cKgiZbE=; b=accCMa6fA/6BqBQ7KUmf6c/mmfcjZXe35lusCDhkIGYG1U93rhnSRFGX FF2gR+WkSwd0fAprYLKXsQIcpVDPrPILGX++pBvN7tQGvHoJd2MRNJgVl qlRMaXIf1NW1cK2uhSL+73Z5Y/5jlumPsnS4OGUfFQLnBR7daDdL6wRdb 53ar6oKjT60wH3hf9vnBlSWrWwHYLzA0VlAjXBXCghkamp7p6KSf1cRqU 0uvNt+6+DSlE0cqlm3izSOk94v5M4HFB6Jr4+a5rUOLvkArmdt1OrH1+p uOxGB0/TpRqmUQHdJ20c5dTRBPBvmCuZvDWXyODrwa0YOnuJE5Bc07XIa Q==; X-CSE-ConnectionGUID: 1Fsg8VE4ROGU2daWGnfw8A== X-CSE-MsgGUID: t+sDI8nzSge0AmDDytizxA== X-IPAS-Result: A0BIAgCnbkJq/5X/Ja1aHgEBCxIMggULgld0X0JJlksDnhsUgWoPAQEBD0QNBAEBhQYCjUsCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAS0QHAMBAi8rIwgQCYMCAYJzAgERBrZ0gXkzgQGDKAExBQkCAkABUNssAQsUAQWBM4U/iB9bGAGEfCcbG4FyhH6BBYFcAQEBgUYBhl0EgiJ6EoFagj+McEiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgWmBBIR9Ix8DOX+BMHVYZhUwNYECAREeCoFSJwMLGA1IESw3FBsEPm4HjF4XD4I8AWEkCQEHIgEBgSBiCTILHpJoMJADgiGBNZ9aCiiDdYwhlToaM4VbpRGZCI4KlWhohGiBaDyBRwsHcBU7gmcJFjQZD44tCwuBeIFogX+EQcFNJDUCCTIBAQcCBw4DC4FokX0BAQ IronPort-Data: A9a23:P+RDnqnHYtdz+3HmEJVEV2vo5gzQJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xJLUW6Fa/iJYGH9cttyPY6y9B8B7JHXxtUwSQA+ris3EFtH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaC4E/raf658SUUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k Y20+ZG31GONgWYubDpKsfPb8XuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FdQ24eknP0wSz 9s3FWoBZy+sgeypkJvuH4GAhux7RCXqFJkUtnclyXTSCuwrBMmZBa7L/tRfmjw3g6iiH96HO JFfMmUpNkmdJUQTaz/7C7pm9AusrnDzdDtXoUiYjaE2+GPUigd21dABNfKJKoPaGJgEzx3wS mTu4yfiLjBKMs6kxjfd23eAqv7TnDHrcddHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7UNVFJ mQQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1dFHhKaccts4k9QjlCO kK1ou4FzAdH6NW9IU9xPJ/Pxd9uEUD59VM/WBI= IronPort-HdrOrdr: A9a23:uXN/f6tsSlqRmqDa4Mlc/dk87skDrtV00zEX/kB9WHVpmwKj+P xG+85rsiMc5wxxZJhNo7290ey7MBHhHP1OkO0s1NWZPDUO0VHAROoJ0WKh+UyEJ8SUzIBgPM lbH5SWIeeAa2SS9fyKgzWQIpIH3MSN9ryuiKP1yndgShwvVoRbhj0Jczpy1iZNNXJ77V1TLu vl2vZ6 X-Talos-CUID: 9a23:lcK6bW3M3O083TYNteWWirxfQ+4+fS3j4SvqBGCFU2pgd5KTR0DA0fYx X-Talos-MUID: 9a23:aDKH3ArgVHN/P7uP+L4ezy0hL+tJs6K8M08AybwDl+WVKS1iKx7I2Q== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,232,1774310400"; d="scan'208";a="487855993" Received: from rcdn-l-core-12.cisco.com ([173.37.255.149]) by rcdn-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 13:15:00 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-12.cisco.com (Postfix) with ESMTPS id 18442180001DF; Mon, 29 Jun 2026 13:15:00 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id B49FBCC12A9; Mon, 29 Jun 2026 06:14:59 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Date: Mon, 29 Jun 2026 06:14:48 -0700 Message-ID: <20260629131453.1077612-4-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629131453.1077612-1-adongare@cisco.com> References: <20260629131453.1077612-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-12.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 13:15:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239779 From: Anil Dongare Backport the upstream fix [1] for the proxy credential leak on redirect described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f [2] https://curl.se/docs/CVE-2026-6253.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6253 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-6253.patch | 392 ++++++++++++++++++ meta/recipes-support/curl/curl_8.19.0.bb | 1 + 2 files changed, 393 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6253.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-6253.patch b/meta/recipes-support/curl/curl/CVE-2026-6253.patch new file mode 100644 index 0000000000..3923ba9372 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-6253.patch @@ -0,0 +1,392 @@ +From 188c2f166a20fa97c2325b2da7d0e5cecc13725f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 13 Apr 2026 17:17:23 +0200 +Subject: [PATCH] http: clear the proxy credentials as well on port or scheme + change + +Add tests 2009-2011 to verify switching between proxies with credentials +when the switch is driven by a redirect + +Reported-by: Dwij Mehta + +Closes #21304 + +CVE: CVE-2026-6253 +Upstream-Status: Backport [https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f] + +Backport Changes: +- Adapted the redirect credential reset hunk to curl 8.19.0 Curl_http_follow() after the existing wrynose CVE-2026-6276 backport. +- Adapted tests/data/Makefile.am placement for the wrynose test list. + +(cherry picked from commit 188c2f166a20fa97c2325b2da7d0e5cecc13725f) +Signed-off-by: Anil Dongare +--- + lib/http.c | 12 +++++++ + lib/transfer.c | 51 +++++++++++++++++++++--------- + lib/transfer.h | 2 ++ + tests/data/Makefile.am | 1 + + tests/data/test2009 | 70 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test2010 | 71 ++++++++++++++++++++++++++++++++++++++++++ + tests/data/test2011 | 70 +++++++++++++++++++++++++++++++++++++++++ + 7 files changed, 262 insertions(+), 15 deletions(-) + create mode 100644 tests/data/test2009 + create mode 100644 tests/data/test2010 + create mode 100644 tests/data/test2011 + +diff --git a/lib/http.c b/lib/http.c +index 7ebbdfa..b960d79 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1252,12 +1252,24 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl, + curlx_free(scheme); + } + if(clear) { ++ CURLcode result = Curl_reset_userpwd(data); ++ if(result) { ++ curlx_free(follow_url); ++ return result; ++ } + Curl_safefree(data->state.aptr.user); + Curl_safefree(data->state.aptr.passwd); + } + } + } + DEBUGASSERT(follow_url); ++ { ++ CURLcode result = Curl_reset_proxypwd(data); ++ if(result) { ++ curlx_free(follow_url); ++ return result; ++ } ++ } + + if(type == FOLLOW_FAKE) { + /* we are only figuring out the new URL if we would have followed locations +diff --git a/lib/transfer.c b/lib/transfer.c +index 6dd2f52..af5bee2 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -439,6 +439,40 @@ void Curl_init_CONNECT(struct Curl_easy *data) + data->state.upload = (data->state.httpreq == HTTPREQ_PUT); + } + ++/* ++ * Restore the user credentials to those set in options. ++ */ ++CURLcode Curl_reset_userpwd(struct Curl_easy *data) ++{ ++ CURLcode result; ++ if(data->set.str[STRING_USERNAME] || data->set.str[STRING_PASSWORD]) ++ data->state.creds_from = CREDS_OPTION; ++ result = Curl_setstropt(&data->state.aptr.user, ++ data->set.str[STRING_USERNAME]); ++ if(!result) ++ result = Curl_setstropt(&data->state.aptr.passwd, ++ data->set.str[STRING_PASSWORD]); ++ return result; ++} ++ ++/* ++ * Restore the proxy credentials to those set in options. ++ */ ++CURLcode Curl_reset_proxypwd(struct Curl_easy *data) ++{ ++#ifndef CURL_DISABLE_PROXY ++ CURLcode result = Curl_setstropt(&data->state.aptr.proxyuser, ++ data->set.str[STRING_PROXYUSERNAME]); ++ if(!result) ++ result = Curl_setstropt(&data->state.aptr.proxypasswd, ++ data->set.str[STRING_PROXYPASSWORD]); ++ return result; ++#else ++ (void)data; ++ return CURLE_OK; ++#endif ++} ++ + /* + * Curl_pretransfer() is called immediately before a transfer starts, and only + * once for one transfer no matter if it has redirects or do multi-pass +@@ -584,23 +618,10 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) + return CURLE_OUT_OF_MEMORY; + } + +- if(data->set.str[STRING_USERNAME] || +- data->set.str[STRING_PASSWORD]) +- data->state.creds_from = CREDS_OPTION; + if(!result) +- result = Curl_setstropt(&data->state.aptr.user, +- data->set.str[STRING_USERNAME]); ++ result = Curl_reset_userpwd(data); + if(!result) +- result = Curl_setstropt(&data->state.aptr.passwd, +- data->set.str[STRING_PASSWORD]); +-#ifndef CURL_DISABLE_PROXY +- if(!result) +- result = Curl_setstropt(&data->state.aptr.proxyuser, +- data->set.str[STRING_PROXYUSERNAME]); +- if(!result) +- result = Curl_setstropt(&data->state.aptr.proxypasswd, +- data->set.str[STRING_PROXYPASSWORD]); +-#endif ++ result = Curl_reset_proxypwd(data); + + data->req.headerbytecount = 0; + Curl_headers_cleanup(data); +diff --git a/lib/transfer.h b/lib/transfer.h +index 05a5f89..131e31a 100644 +--- a/lib/transfer.h ++++ b/lib/transfer.h +@@ -31,6 +31,8 @@ char *Curl_checkheaders(const struct Curl_easy *data, + + void Curl_init_CONNECT(struct Curl_easy *data); + ++CURLcode Curl_reset_userpwd(struct Curl_easy *data); ++CURLcode Curl_reset_proxypwd(struct Curl_easy *data); + CURLcode Curl_pretransfer(struct Curl_easy *data); + + CURLcode Curl_sendrecv(struct Curl_easy *data); +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index da0f8f5..00a5221 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -244,6 +244,7 @@ test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 \ + test1978 test1979 test1980 test1981 \ + \ + test2000 test2001 test2002 test2003 test2004 test2005 test2006 \ ++test2009 test2010 test2011 \ + \ + test2023 \ + test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \ +diff --git a/tests/data/test2009 b/tests/data/test2009 +new file mode 100644 +index 0000000..d2fd79e +--- /dev/null ++++ b/tests/data/test2009 +@@ -0,0 +1,70 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++http_proxy ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 407 Denied ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Content-Type: text/html ++Location: https://another.example/%TESTNUMBER0002 ++ ++boo ++ ++ ++ ++# Client-side ++ ++ ++proxy ++ ++ ++http ++https ++ ++ ++proxy credentials via env variables, redirect from http to https ++ ++ ++ ++http_proxy=http://user:secret@%HOSTIP:%HTTPPORT ++https_proxy=https://%HOSTIP:%HTTPSPORT/ ++ ++ ++http://somewhere.example/ --follow --proxy-insecure ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET http://somewhere.example/ HTTP/1.1 ++Host: somewhere.example ++Proxy-Authorization: Basic %b64[user:secret]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++CONNECT another.example:443 HTTP/1.1 ++Host: another.example:443 ++User-Agent: curl/%VERSION ++Proxy-Connection: Keep-Alive ++ ++ ++ ++7 ++ ++ ++ +diff --git a/tests/data/test2010 b/tests/data/test2010 +new file mode 100644 +index 0000000..443ae9d +--- /dev/null ++++ b/tests/data/test2010 +@@ -0,0 +1,71 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++http_proxy ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 407 Denied ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Content-Type: text/html ++Location: https://another.example/%TESTNUMBER0002 ++ ++boo ++ ++ ++ ++# Client-side ++ ++ ++proxy ++ ++ ++http ++https ++ ++ ++proxy credentials via options for two proxies, redirect from http to https ++ ++ ++ ++http_proxy=http://%HOSTIP:%HTTPPORT ++https_proxy=https://%HOSTIP:%HTTPSPORT/ ++ ++ ++--proxy-user batman:robin http://somewhere.example/ --follow --proxy-insecure ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET http://somewhere.example/ HTTP/1.1 ++Host: somewhere.example ++Proxy-Authorization: Basic %b64[batman:robin]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++CONNECT another.example:443 HTTP/1.1 ++Host: another.example:443 ++Proxy-Authorization: Basic %b64[batman:robin]b64% ++User-Agent: curl/%VERSION ++Proxy-Connection: Keep-Alive ++ ++ ++ ++7 ++ ++ ++ +diff --git a/tests/data/test2011 b/tests/data/test2011 +new file mode 100644 +index 0000000..dd4e534 +--- /dev/null ++++ b/tests/data/test2011 +@@ -0,0 +1,70 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++http_proxy ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 407 Denied ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Content-Type: text/html ++Location: https://another.example/%TESTNUMBER0002 ++ ++boo ++ ++ ++ ++# Client-side ++ ++ ++proxy ++ ++ ++http ++https ++ ++ ++proxy creds via env, cross-scheme redirect, --location-trusted ++ ++ ++ ++http_proxy=http://user:secret@%HOSTIP:%HTTPPORT ++https_proxy=https://%HOSTIP:%HTTPSPORT/ ++ ++ ++http://somewhere.example/ --location-trusted --proxy-insecure ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET http://somewhere.example/ HTTP/1.1 ++Host: somewhere.example ++Proxy-Authorization: Basic %b64[user:secret]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++CONNECT another.example:443 HTTP/1.1 ++Host: another.example:443 ++User-Agent: curl/%VERSION ++Proxy-Connection: Keep-Alive ++ ++ ++ ++7 ++ ++ ++ +-- +2.43.7 + diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb index 5580791ec8..09e93c8ce5 100644 --- a/meta/recipes-support/curl/curl_8.19.0.bb +++ b/meta/recipes-support/curl/curl_8.19.0.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://no-test-timeout.patch \ file://CVE-2026-6276.patch \ file://CVE-2026-5545.patch \ + file://CVE-2026-6253.patch \ file://mbedtls.patch \ " From patchwork Mon Jun 29 13:14:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91273 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD6B0C43638 for ; Mon, 29 Jun 2026 13:15:04 +0000 (UTC) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.91875.1782738901259413270 for ; Mon, 29 Jun 2026 06:15:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Rv/uClps; spf=pass (domain: cisco.com, ip: 173.37.86.72, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=12014; q=dns/txt; s=iport01; t=1782738901; x=1783948501; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=wTqW7vzETGCq+4/j6GrIrUYKnB5NTd6bjjDiBDpzR3Y=; b=Rv/uClps/S8wP4No6INrlRK8Fx9FLd9mTcRc4GbHfljgyUdEJXvkOrZP zm5v5e6emzcDEA8Jry4xgO0ccuFSxW26/HLoC9zdmk2AIxvd6nJNGyyBt GEQHBc6STLwfwxy2+T1mdzRomdELwq97RXI+vO8Px0AlP33cEo2LgreCL 3U3Gtyn4FvKW06gFK/hBZY0VGANKnt4c66Z5+eR1z4xjHp2jAxRt0dCCZ eZy9ZT+s4XU9/tIyJfLwjwL2gkczc16U6/c8IjafRlPRYoV8qfNK521gD a+P9nnxEEfndMzNRC7T9G5HIotRwucpZAqiKPBD+CcnxljJaTAoXT1wk2 w==; X-CSE-ConnectionGUID: AenX/qYoSDGu0TiGOk1D6g== X-CSE-MsgGUID: QBfMMi9mRoClyzdtT32HnQ== X-IPAS-Result: A0AaAAAqb0Jq/4v/Ja1aHAEBAQEBAQcBARIBAQQEAQGBfAcBAQsBglZ0X0JJjHOJWAOeGxSBag8BAQEPRA0EAQGBcQEggnQCjUsCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAS0QHAMBAhcBARYrIwgZgwIBgnMCAREGtnKBeTOBAYMoATEFCQICQAFQ2ywBCxQBBYEzAYU+iB9bGAGEfCcbG4FygRWDaYEFgVwBAQGBIiVgAgaFdQSCInoSgVqCGCeBYYsPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BaYEEhH0jHwM5f4EwdVhmFTA1gQIBER4KgVInAwsYDUgRLDcUGwQ+bgeMXhcPgj0xLwEhDAEpAQEvVn07Cx6SdAoHkBaCIYE1n1oKKIN1jCGODYctGjOFW6URmQiOCpVoaIRogWg8gUcLB3AVgyIJFjQZD44tCwuBeIFogX+EQcFNJDUCCTIBAQcCBw4DC4FokAIkgVcBAQ IronPort-Data: A9a23:RJkutah1Tu/bPyxWKyPuz8qkX161MREKZh0ujC45NGQN5FlHY01je htvCjrXaaqOMGH3fI9yYduy80pUvJfQyNc2TlE+qSBnRnhjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeDULOZ82QsaDxMtfjS8EoHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUx9+BHRnh/8 sc0By1VUhGsoOHv7Oy0H7wEasQLdKEHPasFsX1miDWcBvE8TNWbGePB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWYQZ/5JEWxI9EglH2fzpep1uPqII84nPYy0p6172F3N/9J4TTG5QIxxzAz o7A113TDDQ/NY2a8z2u9mO+ivPzxnnbXrtHQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmQHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn2891te5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:rUzMFqxQcK04OSbScGLsKrPw9L1zdoMgy1knxilNoNJuHfBw8P re+8jzuiWUtN98YhwdcJW7Scu9qBDnhPpICOsqXYtKNTOO0ADDEGgh1/qG/9SKIUPDH4BmuZ uIWpIObuEYdWIK7vrS0U2fD8sqxsWB/eSDgOfTyGoocCRRApsQljuQzm2gYzZLrM4sP+tAKK ah X-Talos-CUID: 9a23:O2DQ92hmfY5hPpjUje4gH9OXtDJuW3Db/DDJEkiDJUl0EIGUZniToY86nJ87 X-Talos-MUID: 9a23:1+U8qgy7+szHbQbT8+YkByYojGuaqJ2EBmUokMQDgc6vMT1iNyuh126XRLZyfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,232,1774310400"; d="scan'208";a="501695120" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 13:15:00 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 1F2F7180007CD; Mon, 29 Jun 2026 13:15:00 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id BBE97CC124A; Mon, 29 Jun 2026 06:14:59 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Date: Mon, 29 Jun 2026 06:14:49 -0700 Message-ID: <20260629131453.1077612-5-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629131453.1077612-1-adongare@cisco.com> References: <20260629131453.1077612-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 13:15:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239780 From: Anil Dongare Backport the upstream fix [1] for the netrc credential leak on redirect described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306 [2] https://curl.se/docs/CVE-2026-6429.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-6429.patch | 362 ++++++++++++++++++ meta/recipes-support/curl/curl_8.19.0.bb | 1 + 2 files changed, 363 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch new file mode 100644 index 0000000000..f4398e00f6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch @@ -0,0 +1,362 @@ +From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 16 Apr 2026 14:26:20 +0200 +Subject: [PATCH] http: clear credentials better on redirect + +Verify with test 2506: netrc with redirect using proxy + +Updated test 998 which was wrong. + +Reported-by: Muhamad Arga Reksapati + +Closes #21345 + +CVE: CVE-2026-6429 +Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306] + +Backport Changes: +- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin comparison is kept inline in Curl_http_follow(). +- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement for the wrynose test lists. + +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306) +Signed-off-by: Anil Dongare +--- + lib/http.c | 121 +++++++++++++++++++------------------ + tests/data/Makefile.am | 2 +- + tests/data/test2506 | 64 ++++++++++++++++++++ + tests/data/test998 | 1 - + tests/libtest/Makefile.inc | 2 +- + tests/libtest/lib2506.c | 71 ++++++++++++++++++++++ + 6 files changed, 198 insertions(+), 63 deletions(-) + create mode 100644 tests/data/test2506 + create mode 100644 tests/libtest/lib2506.c + +diff --git a/lib/http.c b/lib/http.c +index b960d79..9ac96ad 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl, + return CURLE_OUT_OF_MEMORY; + } + else { +- uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0); +- if(uc) +- return Curl_uc_to_curlcode(uc); +- +- /* Clear auth if this redirects to a different port number or protocol, +- unless permitted */ +- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { +- int port; +- bool clear = FALSE; ++ bool same_origin; ++ CURLcode result; ++ CURLU *u = curl_url(); ++ char *oldscheme = NULL; ++ char *oldhost = NULL; ++ char *oldport = NULL; ++ char *newscheme = NULL; ++ char *newhost = NULL; ++ char *newport = NULL; ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; + +- if(data->set.use_port && data->state.allow_port) +- /* a custom port is used */ +- port = (int)data->set.use_port; +- else { +- curl_off_t value; +- char *portnum; +- const char *p; +- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, +- CURLU_DEFAULT_PORT); +- if(uc) { +- curlx_free(follow_url); +- return Curl_uc_to_curlcode(uc); +- } +- p = portnum; +- curlx_str_number(&p, &value, 0xffff); +- port = (int)value; +- curlx_free(portnum); +- } +- if(port != data->info.conn_remote_port) { +- infof(data, "Clear auth, redirects to port from %u to %u", +- data->info.conn_remote_port, port); +- clear = TRUE; +- } +- else { +- char *scheme; +- const struct Curl_scheme *p; +- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); +- if(uc) { +- curlx_free(follow_url); +- return Curl_uc_to_curlcode(uc); +- } ++ uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url), ++ CURLU_URLENCODE | CURLU_ALLOW_SPACE); ++ if(!uc) ++ uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT); ++ if(!uc) ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0); ++ if(!uc) ++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0); ++ if(!uc) ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ curl_url_cleanup(u); ++ curlx_free(oldscheme); ++ curlx_free(oldhost); ++ curlx_free(oldport); ++ curlx_free(newscheme); ++ curlx_free(newhost); ++ curlx_free(newport); ++ curlx_free(follow_url); ++ return Curl_uc_to_curlcode(uc); ++ } + +- p = Curl_get_scheme(scheme); +- if(p && (p->protocol != data->info.conn_protocol)) { +- infof(data, "Clear auth, redirects scheme from %s to %s", +- data->info.conn_scheme, scheme); +- clear = TRUE; +- } +- curlx_free(scheme); +- } +- if(clear) { +- CURLcode result = Curl_reset_userpwd(data); +- if(result) { +- curlx_free(follow_url); +- return result; +- } +- Curl_safefree(data->state.aptr.user); +- Curl_safefree(data->state.aptr.passwd); ++ same_origin = strcasecompare(oldscheme, newscheme) && ++ strcasecompare(oldhost, newhost) && ++ !strcmp(oldport, newport); ++ ++ curl_url_cleanup(u); ++ curlx_free(oldscheme); ++ curlx_free(oldhost); ++ curlx_free(oldport); ++ curlx_free(newscheme); ++ curlx_free(newhost); ++ curlx_free(newport); ++ ++ if((!same_origin && !data->set.allow_auth_to_other_hosts) || ++ !data->set.str[STRING_USERNAME]) { ++ result = Curl_reset_userpwd(data); ++ if(result) { ++ curlx_free(follow_url); ++ return result; + } ++ Curl_safefree(data->state.aptr.user); ++ Curl_safefree(data->state.aptr.passwd); + } +- } +- DEBUGASSERT(follow_url); +- { +- CURLcode result = Curl_reset_proxypwd(data); ++ result = Curl_reset_proxypwd(data); + if(result) { + curlx_free(follow_url); + return result; + } + } ++ DEBUGASSERT(follow_url); + + if(type == FOLLOW_FAKE) { + /* we are only figuring out the new URL if we would have followed locations +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 00a5221..1b76b01 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -265,7 +265,7 @@ test2309 \ + \ + test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 \ + \ +-test2500 test2501 test2502 test2503 test2504 \ ++test2500 test2501 test2502 test2503 test2504 test2506 \ + \ + test2600 test2601 test2602 test2603 test2604 test2605 \ + \ +diff --git a/tests/data/test2506 b/tests/data/test2506 +new file mode 100644 +index 0000000..9c65002 +--- /dev/null ++++ b/tests/data/test2506 +@@ -0,0 +1,64 @@ ++ ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 3 ++Location: http://numbertwo.example/%TESTNUMBER0002 ++ ++ok ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 4 ++ ++yes ++ ++ ++ ++ ++ ++http ++ ++ ++proxy ++ ++ ++lib%TESTNUMBER ++ ++ ++netrc with redirect using proxy ++ ++ ++machine site.example login batman password robin ++ ++ ++http://%HOSTIP:%HTTPPORT http://site.example/ %LOGDIR/netrc2506 ++ ++ ++ ++ ++ ++GET http://site.example/ HTTP/1.1 ++Host: site.example ++Authorization: Basic %b64[batman:robin]b64% ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://numbertwo.example/25060002 HTTP/1.1 ++Host: numbertwo.example ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test998 b/tests/data/test998 +index 24d1d3d..56dbc0c 100644 +--- a/tests/data/test998 ++++ b/tests/data/test998 +@@ -77,7 +77,6 @@ Proxy-Connection: Keep-Alive + + GET http://somewhere.else.example/a/path/9980002 HTTP/1.1 + Host: somewhere.else.example +-Authorization: Basic %b64[alberto:einstein]b64% + User-Agent: curl/%VERSION + Accept: */* + Proxy-Connection: Keep-Alive +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 2319baf..2f77c16 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -113,7 +113,7 @@ TESTS_C = \ + lib2023.c lib2032.c lib2082.c \ + lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c \ + lib2402.c lib2404.c lib2405.c \ +- lib2502.c lib2504.c \ ++ lib2502.c lib2504.c lib2506.c \ + lib2700.c \ + lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c \ + lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c \ +diff --git a/tests/libtest/lib2506.c b/tests/libtest/lib2506.c +new file mode 100644 +index 0000000..8b3b342 +--- /dev/null ++++ b/tests/libtest/lib2506.c +@@ -0,0 +1,71 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Linus Nielsen Feltzing ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++#include "first.h" ++ ++#include "testtrace.h" ++ ++static size_t sink2506(char *ptr, size_t size, size_t nmemb, void *ud) ++{ ++ (void)ptr; ++ (void)ud; ++ return size * nmemb; ++} ++ ++static CURLcode test_lib2506(const char *URL) ++{ ++ CURL *curl; ++ CURLcode result = CURLE_OUT_OF_MEMORY; ++ ++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { ++ curl_mfprintf(stderr, "curl_global_init() failed\n"); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ curl = curl_easy_init(); ++ if(!curl) { ++ curl_mfprintf(stderr, "curl_easy_init() failed\n"); ++ curl_global_cleanup(); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ test_setopt(curl, CURLOPT_WRITEFUNCTION, sink2506); ++ test_setopt(curl, CURLOPT_PROXY, URL); ++ test_setopt(curl, CURLOPT_URL, libtest_arg2); ++ test_setopt(curl, CURLOPT_NETRC, CURL_NETRC_OPTIONAL); ++ test_setopt(curl, CURLOPT_NETRC_FILE, libtest_arg3); ++ test_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); ++ test_setopt(curl, CURLOPT_VERBOSE, 1L); ++ ++ /* CURLOPT_UNRESTRICTED_AUTH should not make a difference because the ++ credentials come from netrc */ ++ test_setopt(curl, CURLOPT_UNRESTRICTED_AUTH, 1L); ++ ++ result = curl_easy_perform(curl); ++ ++test_cleanup: ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ ++ return result; ++} +-- +2.43.7 + diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb index 09e93c8ce5..6c31978519 100644 --- a/meta/recipes-support/curl/curl_8.19.0.bb +++ b/meta/recipes-support/curl/curl_8.19.0.bb @@ -17,6 +17,7 @@ SRC_URI = " \ file://CVE-2026-6276.patch \ file://CVE-2026-5545.patch \ file://CVE-2026-6253.patch \ + file://CVE-2026-6429.patch \ file://mbedtls.patch \ " From patchwork Mon Jun 29 13:14:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91275 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9FFAC43602 for ; Mon, 29 Jun 2026 13:15:04 +0000 (UTC) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.91875.1782738901259413270 for ; Mon, 29 Jun 2026 06:15:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=CW4oXBll; spf=pass (domain: cisco.com, ip: 173.37.86.72, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=12598; q=dns/txt; s=iport01; t=1782738901; x=1783948501; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=sCPE5ZYgTC7oqjfeQORBxLkh10pbbIVuexQXjMOr1+Q=; b=CW4oXBllSwsqKKxmlDCEiNysouIK1QlSUaSIGbuIHwbUISqXiNLB43ik VI+Im2dtFFRmT/+qA5N83QZQreusLlqpcvVXxfXUx9r4miA+18f6cI6s9 MT9+3HFoXGnZ42Z/iDI8pzKfOou3+ejpkm5LRu7cCmUToErGnUrzJKAMi xZfv1LfLKFaxrK1hhBCjuL+HRz94k/VCOarFakUb5pTEzbwfB9Q1iirDC zNoJbEmCDDRXrmyKbZABmCZ+MNsIO7AzyN44G/xz5neZmonYqBAEL9AYH a1JEqJbW7oPv7LFYW56HGSKnDoLHO0pdb39rqKCgO+FNERCWbscikJMgH w==; X-CSE-ConnectionGUID: Mojd/WiKTQeN/DqDZP+nQg== X-CSE-MsgGUID: kxPRmL4VRJKROhLyyLFl6g== X-IPAS-Result: A0AaAAAqb0Jq/5X/Ja1aHAEBAQEBAQcBARIBAQQEAQGBfAcBAQsBglZ0X0JJjHOIbGwDnhsUgWoPAQEBD0QNBAEBgXEBIIJ0Ao1LAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDJwsBGAEtEBwDAQIZFisjCBmDAgGCcwIBEQa2coF5M4EBgygBMQUJAgJAAVDbLAELFAEFgTMBhT6IH1sYAYNdgR8nGxuBcoEVg2mBBYFcAQEBAYEhAyJohXUEgiJ6EoFaghgngWGLD0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgWmBBIR9Ix8DOX+BMHVYZhUwNYECAREeCoFSJwMLGA1IESw3FBsEPm4HjF4XD4IFMQYBMS8BIQIBCQEpAQEEK1Z9AjkMHZJ0kCeCIYE1n1oKKIN1jCGVOhozhVulEZkIjgqVaBhQhGiBaDyBRwsHcBU7gmcJCQ00GQ+OLQsLgXiBaIF/glGBcMFNJDUCCTIBAQcCBw4DC4FokCaBVwEB IronPort-Data: A9a23:mCepH6trVX/ZqEjb5EksjKMdTOfnVAdfMUV32f8akzHdYApBsoF/q tZmKT/QOvyCNDDzKtAiOt6y/BhVvcOHy9NrSQpr+Ho9QisSgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFZDdJ5xYuajhKs/zZ+Us21BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw3+F1DSZx9 N8kET0rKTyaq9COg7SCRbw57igjBJGD0II3oHpsy3TdSP0hW52GGv+M7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtGYH49tL/Aan3XejFfrl2cv6cf6GnIxws327/oWDbQUoHSHJsEwx/C/ Qoq+Uz6EikgMfjD9wCn0UiLhsvejAfVXNwdQejQGvlCxQf7KnYoIBoOWF22pPO0hkKzV5dUL FYZ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2cbLtcnr8QxAzct0 zdlgu/UONCmi5XNIVr1y1tehWja1fQ9RYPaWRI5cA== IronPort-HdrOrdr: A9a23:dHHSoaNj/SpaPsBcThmjsMiBIKoaSvp037Dk7S9MoHtuA6ulfq +V/cjzuSWYtN9VYgBDpTniAtjlfZq/z/5ICOAqVN/INjUO+lHYSb2KhrGN/9SPIUHDH8dmpM FdmtBFeb7NJGk/q9rm6w+lFNtl6tyG/Ke0wdr69R5WPHhXg2UK1XYDNu5deXcGPDV7OQ== X-Talos-CUID: 9a23:4DQxwGy70HF0HwojXHnvBgUxHcIpNULc70vpLmn/JX9FeoXWT2afrfY= X-Talos-MUID: 9a23:vkPXNwx1XyBDgsRQtW4IQuhSZNKaqKe+MHoItck4geunDwtwHyaMqBqzHIByfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,232,1774310400"; d="scan'208";a="501695123" Received: from rcdn-l-core-12.cisco.com ([173.37.255.149]) by rcdn-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 13:15:00 +0000 Received: from sjc-ads-3691.cisco.com (sjc-ads-3691.cisco.com [171.68.250.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-12.cisco.com (Postfix) with ESMTPS id 74706180001DF; Mon, 29 Jun 2026 13:15:00 +0000 (GMT) Received: by sjc-ads-3691.cisco.com (Postfix, from userid 1870532) id C0EA6CC124B; Mon, 29 Jun 2026 06:14:59 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Anil Dongare Subject: [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Date: Mon, 29 Jun 2026 06:14:50 -0700 Message-ID: <20260629131453.1077612-6-adongare@cisco.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260629131453.1077612-1-adongare@cisco.com> References: <20260629131453.1077612-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-3691.cisco.com [171.68.250.138];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.250.138, sjc-ads-3691.cisco.com X-Outbound-Node: rcdn-l-core-12.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 13:15:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239781 From: Anil Dongare Backport the upstream fix [1] for proxy Digest state reuse across proxy switches described in [2] and tracked by [3]. [1] https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507 [2] https://curl.se/docs/CVE-2026-7168.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-7168 Signed-off-by: Anil Dongare --- .../curl/curl/CVE-2026-7168.patch | 375 ++++++++++++++++++ meta/recipes-support/curl/curl_8.19.0.bb | 1 + 2 files changed, 376 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-7168.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-7168.patch b/meta/recipes-support/curl/curl/CVE-2026-7168.patch new file mode 100644 index 0000000000..432dad62c6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-7168.patch @@ -0,0 +1,375 @@ +From c1cfdf59acbaf9504c4578d4cf56cdd7c8594507 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 27 Apr 2026 09:14:51 +0200 +Subject: [PATCH] setopt: clear proxy auth properties when switching + +Verify with test 1588 + +Closes #21453 + +CVE: CVE-2026-7168 +Upstream-Status: Backport [https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507] + +Backport Changes: +- Adapted setproxy() insertion and test-list placement to the curl 8.19.0 wrynose layout. + +(cherry picked from commit c1cfdf59acbaf9504c4578d4cf56cdd7c8594507) +Signed-off-by: Anil Dongare +--- + lib/setopt.c | 14 +++- + lib/vauth/vauth.h | 1 + + tests/data/Makefile.am | 2 +- + tests/data/test1588 | 106 ++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 2 +- + tests/libtest/lib1588.c | 150 +++++++++++++++++++++++++++++++++++++ + 6 files changed, 272 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test1588 + create mode 100644 tests/libtest/lib1588.c + +diff --git a/lib/setopt.c b/lib/setopt.c +index 84f3e02..d12ffb6 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -49,6 +49,7 @@ + #include "curlx/strdup.h" + #include "escape.h" + #include "bufref.h" ++#include "vauth/vauth.h" + + static CURLcode setopt_set_timeout_sec(timediff_t *ptimeout_ms, long secs) + { +@@ -1664,6 +1665,17 @@ static CURLcode cookiefile(struct Curl_easy *data, const char *ptr) + #endif + + #ifndef CURL_DISABLE_PROXY ++static CURLcode setproxy(struct Curl_easy *data, const char *proxy) ++{ ++ if((data->set.str[STRING_PROXY] && proxy) && ++ !strcmp(data->set.str[STRING_PROXY], proxy)) ++ return CURLE_OK; ++ ++ Curl_auth_digest_cleanup(&data->state.proxydigest); ++ memset(&data->state.authproxy, 0, sizeof(data->state.authproxy)); ++ return Curl_setstropt(&data->set.str[STRING_PROXY], proxy); ++} ++ + static CURLcode setopt_cptr_proxy(struct Curl_easy *data, CURLoption option, + const char *ptr) + { +@@ -1759,7 +1771,7 @@ static CURLcode setopt_cptr_proxy(struct Curl_easy *data, CURLoption option, + * Setting it to NULL, means no proxy but allows the environment variables + * to decide for us (if CURLOPT_SOCKS_PROXY setting it to NULL). + */ +- return Curl_setstropt(&s->str[STRING_PROXY], ptr); ++ return setproxy(data, ptr); + case CURLOPT_PRE_PROXY: + /* + * Set proxy server:port to use as SOCKS proxy. +diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h +index 3e66c89..20ee51e 100644 +--- a/lib/vauth/vauth.h ++++ b/lib/vauth/vauth.h +@@ -117,6 +117,7 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, + /* This is used to clean up the digest specific data */ + void Curl_auth_digest_cleanup(struct digestdata *digest); + #else ++#define Curl_auth_digest_cleanup(x) + #define Curl_auth_is_digest_supported() FALSE + #endif /* !CURL_DISABLE_DIGEST_AUTH */ + +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 1b76b01..1e84b26 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -208,7 +208,7 @@ test1548 test1549 test1550 test1551 test1552 test1553 test1554 test1555 \ + test1556 test1557 test1558 test1559 test1560 test1561 test1562 test1563 \ + test1564 test1565 test1566 test1567 test1568 test1569 test1570 test1571 \ + test1572 test1573 test1574 test1575 test1576 test1577 test1578 test1579 \ +-test1580 test1581 test1582 test1583 test1584 test1585 \ ++test1580 test1581 test1582 test1583 test1584 test1585 test1588 \ + \ + test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 \ + test1598 test1599 test1600 test1601 test1602 test1603 test1604 test1605 \ +diff --git a/tests/data/test1588 b/tests/data/test1588 +new file mode 100644 +index 0000000..753e98c +--- /dev/null ++++ b/tests/data/test1588 +@@ -0,0 +1,106 @@ ++ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP proxy ++HTTP proxy Digest auth ++multi ++ ++ ++ ++# Server-side ++ ++ ++# this is returned first since we get no proxy-auth ++ ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++And you should ignore this data. ++ ++ ++# then this is returned when we get proxy-auth ++ ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++ ++ ++ ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++HTTP/1.1 407 Authorization Required to proxy me my dear ++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" ++Content-Length: 33 ++ ++HTTP/1.1 200 OK ++Content-Length: 21 ++Server: no ++ ++Nice proxy auth sir! ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++# tool is what to use instead of 'curl' ++ ++lib%TESTNUMBER ++ ++ ++!SSPI ++crypto ++proxy ++digest ++ ++ ++HTTP proxy auth Digest, then change proxy and do it again ++ ++ ++http://test.remote.example.com/path/%TESTNUMBER %HOSTIP %HTTPPORT silly:person custom.set.host.name ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a" ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://test.remote.example.com/path/1588 HTTP/1.1 ++Host: test.remote.example.com ++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a" ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 2f77c16..96b82bc 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -97,7 +97,7 @@ TESTS_C = \ + lib1559.c lib1560.c lib1564.c lib1565.c \ + lib1567.c lib1568.c lib1569.c lib1571.c \ + lib1576.c \ +- lib1582.c \ ++ lib1582.c lib1588.c \ + lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c \ + lib1598.c lib1599.c \ + lib1662.c \ +diff --git a/tests/libtest/lib1588.c b/tests/libtest/lib1588.c +new file mode 100644 +index 0000000..9b12f36 +--- /dev/null ++++ b/tests/libtest/lib1588.c +@@ -0,0 +1,150 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++/* ++ * argv1 = URL ++ * argv2 = proxy host ++ * argv3 = proxy port ++ * argv4 = proxyuser:password ++ */ ++ ++#include "first.h" ++ ++static CURLcode init1588(CURL *curl, const char *url, ++ const char *userpwd, const char *proxy) ++{ ++ CURLcode result = CURLE_OK; ++ ++ res_easy_setopt(curl, CURLOPT_URL, url); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXY, proxy); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXYUSERPWD, userpwd); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST); ++ if(result) ++ goto init_failed; ++ ++ res_easy_setopt(curl, CURLOPT_VERBOSE, 1L); ++ if(result) ++ goto init_failed; ++#if 0 ++ res_easy_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L); ++ if(result) ++ goto init_failed; ++#endif ++ ++ res_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ if(result) ++ goto init_failed; ++ ++ return CURLE_OK; /* success */ ++ ++init_failed: ++ return result; /* failure */ ++} ++ ++static CURLcode run1588(CURL *curl, const char *url, const char *userpwd, ++ const char *proxy) ++{ ++ CURLcode result = CURLE_OK; ++ ++ result = init1588(curl, url, userpwd, proxy); ++ if(result) ++ return result; ++ ++ return curl_easy_perform(curl); ++} ++ ++static CURLcode test_lib1588(const char *URL) ++{ ++ CURLcode result = CURLE_OK; ++ CURL *curl = NULL; ++ const char *proxyuserpws = libtest_arg4; ++ struct curl_slist *host = NULL; ++ struct curl_slist *host2 = NULL; ++ char proxy1_resolve[128]; ++ char proxy2_resolve[128]; ++ char proxy1_connect[128]; ++ char proxy2_connect[128]; ++ ++ if(test_argc < 3) ++ return TEST_ERR_MAJOR_BAD; ++ ++ curl_msnprintf(proxy1_resolve, sizeof(proxy1_resolve), ++ "firstproxy:%s:%s", libtest_arg3, libtest_arg2); ++ curl_msnprintf(proxy2_resolve, sizeof(proxy2_resolve), ++ "secondproxy:%s:%s", libtest_arg3, libtest_arg2); ++ ++ /* we connect to the fake host name but the right port number */ ++ curl_msnprintf(proxy1_connect, sizeof(proxy1_connect), ++ "firstproxy:%s", libtest_arg3); ++ curl_msnprintf(proxy2_connect, sizeof(proxy2_connect), ++ "secondproxy:%s", libtest_arg3); ++ ++ res_global_init(CURL_GLOBAL_ALL); ++ if(result) ++ return result; ++ ++ curl = curl_easy_init(); ++ if(!curl) { ++ curl_mfprintf(stderr, "curl_easy_init() failed\n"); ++ curl_global_cleanup(); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ host = curl_slist_append(NULL, proxy1_resolve); ++ if(!host) ++ goto test_cleanup; ++ host2 = curl_slist_append(host, proxy2_resolve); ++ if(!host2) ++ goto test_cleanup; ++ host = host2; ++ ++ start_test_timing(); ++ ++ easy_setopt(curl, CURLOPT_RESOLVE, host); ++ ++ result = run1588(curl, URL, proxyuserpws, proxy1_connect); ++ if(result) ++ goto test_cleanup; ++ ++ curl_mfprintf(stderr, "lib1588: now we do the request again\n"); ++ ++ result = run1588(curl, URL, proxyuserpws, proxy2_connect); ++ ++test_cleanup: ++ ++ /* proper cleanup sequence - type PB */ ++ ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ curl_slist_free_all(host); ++ return result; ++} +-- +2.43.7 diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb index 6c31978519..1fb6e4f3be 100644 --- a/meta/recipes-support/curl/curl_8.19.0.bb +++ b/meta/recipes-support/curl/curl_8.19.0.bb @@ -18,6 +18,7 @@ SRC_URI = " \ file://CVE-2026-5545.patch \ file://CVE-2026-6253.patch \ file://CVE-2026-6429.patch \ + file://CVE-2026-7168.patch \ file://mbedtls.patch \ "