From: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
To: openembedded-core@lists.openembedded.org
Cc: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
Subject: [wrynose][PATCH v5] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
Date: Mon, 6 Jul 2026 10:14:17 +0200 [thread overview]
Message-ID: <20260706081417.10420-1-jaipaul.cheernam@est.tech> (raw)
In-Reply-To: <20260623120850.29881-1-jaipaul.cheernam@est.tech>
Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
connection pooling. Without this, a second SMB request to the same
host reuses a connection authenticated for a different share.
Reference: https://curl.se/docs/CVE-2026-5773.html
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
---
Changes v4 -> v5:
- Removed incorrect Signed-off-by from Daniel (upstream commit has none)
Changes v3 -> v4:
- Rebased on latest wrynose (5d1aa5c806c0)
- Refreshed patch context to eliminate fuzz on hunk #2
.../curl/curl/CVE-2026-5773.patch | 47 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
new file mode 100644
index 0000000000..a997371242
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
@@ -0,0 +1,47 @@
+From e5c7f93734345260820ca46b29db85f75d277399 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 5 Apr 2026 18:23:35 +0200
+Subject: [PATCH] protocol: disable connection reuse for SMB(S)
+
+Connections should only be reused when using the same "share" (and
+perhaps some additional conditions), but instead of fixing this flaw,
+this change completely disables connection reuse for SMB. This protocol
+is about to get dropped soon anyway.
+
+Reported-by: Osama Hamad
+Closes #21238
+
+CVE: CVE-2026-5773
+Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
+
+Note: The upstream fix targets lib/protocol.c which was introduced in
+curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
+so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
+identical: SMB connections are no longer pooled for reuse.
+
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ lib/smb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 00297ad..c15fdce 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -1242,7 +1242,7 @@ const struct Curl_scheme Curl_scheme_smb = {
+ #endif
+ CURLPROTO_SMB, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_NONE, /* flags */
+ PORT_SMB, /* defport */
+ };
+
+@@ -1259,6 +1259,6 @@ const struct Curl_scheme Curl_scheme_smbs = {
+ #endif
+ CURLPROTO_SMBS, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_SSL, /* flags */
+ PORT_SMBS, /* defport */
+ };
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..3326f478b5 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5773.patch \
file://mbedtls.patch \
"
--
2.34.1
prev parent reply other threads:[~2026-07-06 8:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
2026-06-23 21:24 ` [OE-core] " Yoann Congal
2026-06-24 7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
2026-07-03 8:50 ` [OE-core] " Yoann Congal
2026-07-03 9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
2026-07-05 22:03 ` [OE-core] " Yoann Congal
2026-07-06 8:11 ` Jaipaul Cheernam
2026-07-06 8:14 ` Jaipaul Cheernam [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260706081417.10420-1-jaipaul.cheernam@est.tech \
--to=jaipaul.cheernam@est.tech \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.