From: "Yoann Congal" <yoann.congal@smile.fr>
To: <jaipaul.cheernam@est.tech>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [wrynose][PATCH v3] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
Date: Fri, 03 Jul 2026 10:50:32 +0200 [thread overview]
Message-ID: <DJOT2TN5WGAT.3LHSPDSQB54O3@smile.fr> (raw)
In-Reply-To: <20260624075504.63472-1-jaipaul.cheernam@est.tech>
On Wed Jun 24, 2026 at 9:55 AM CEST, Jaipaul Cheernam via lists.openembedded.org wrote:
> Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
> connection pooling. Without this, a second SMB request to the same
> host reuses a connection authenticated for a different share.
>
> Reference: https://curl.se/docs/CVE-2026-5773.html
>
> Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> ---
> .../curl/curl/CVE-2026-5773.patch | 48 +++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
Hello,
This patch does not apply cleanly on the lastest origin/wrynose:
commit 5d1aa5c806c0 ("build-appliance-image: Update to wrynose head revisions")):
| $ bitbake -cpatch curl
| [...]
| ERROR: curl-8.19.0-r0 do_patch: QA Issue: Fuzz detected:
|
| Applying patch CVE-2026-5773.patch
| patching file lib/smb.c
| Hunk #2 succeeded at 1259 with fuzz 1.
|
|
| The context lines in the patches can be updated with devtool:
|
| devtool modify curl
| devtool finish --force-patch-refresh curl <layer_path>
|
| Don't forget to review changes done by devtool!
|
| Patch log indicates that patches do not apply cleanly. [patch-fuzz]
| ERROR: curl-8.19.0-r0 do_patch: Fatal QA errors were found, failing task.
Can you rebase and send a v4?
Thanks!
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> new file mode 100644
> index 0000000000..970e04b33f
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> @@ -0,0 +1,48 @@
> +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sun, 5 Apr 2026 18:23:35 +0200
> +Subject: [PATCH] protocol: disable connection reuse for SMB(S)
> +
> +Connections should only be reused when using the same "share" (and
> +perhaps some additional conditions), but instead of fixing this flaw,
> +this change completely disables connection reuse for SMB. This protocol
> +is about to get dropped soon anyway.
> +
> +Reported-by: Osama Hamad
> +Closes #21238
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +
> +CVE: CVE-2026-5773
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
> +
> +Note: The upstream fix targets lib/protocol.c which was introduced in
> +curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
> +so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
> +identical: SMB connections are no longer pooled for reuse.
> +
> +Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> +---
> + lib/smb.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/smb.c b/lib/smb.c
> +index ccd4f3f69d..2a9f08388f 100644
> +--- a/lib/smb.c
> ++++ b/lib/smb.c
> +@@ -1242,7 +1242,7 @@
> + #endif
> + CURLPROTO_SMB, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_NONE, /* flags */
> + PORT_SMB, /* defport */
> + };
> +
> +@@ -1259,7 +1259,7 @@
> + #endif
> + CURLPROTO_SMBS, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_SSL, /* flags */
> + PORT_SMBS, /* defport */
> + };
> diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
> index d58b774011..3326f478b5 100644
> --- a/meta/recipes-support/curl/curl_8.19.0.bb
> +++ b/meta/recipes-support/curl/curl_8.19.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = " \
> file://disable-tests \
> file://no-test-timeout.patch \
> file://CVE-2026-6276.patch \
> + file://CVE-2026-5773.patch \
> file://mbedtls.patch \
> "
>
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-07-03 8:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
2026-06-23 21:24 ` [OE-core] " Yoann Congal
2026-06-24 7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
2026-07-03 8:50 ` Yoann Congal [this message]
2026-07-03 9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
2026-07-05 22:03 ` [OE-core] " Yoann Congal
2026-07-06 8:11 ` Jaipaul Cheernam
2026-07-06 8:14 ` [wrynose][PATCH v5] " Jaipaul Cheernam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJOT2TN5WGAT.3LHSPDSQB54O3@smile.fr \
--to=yoann.congal@smile.fr \
--cc=jaipaul.cheernam@est.tech \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.