From: "Yoann Congal" <yoann.congal@smile.fr>
To: <adongare@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>
Subject: Re: [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429
Date: Fri, 03 Jul 2026 11:38:36 +0200 [thread overview]
Message-ID: <DJOU3MGL8GSH.27D0R685LL2P1@smile.fr> (raw)
In-Reply-To: <20260629131453.1077612-5-adongare@cisco.com>
On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Backport the upstream fix [1] for the netrc credential leak on redirect
> described in [2] and tracked by [3].
>
> [1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
> [2] https://curl.se/docs/CVE-2026-6429.html
> [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
> .../curl/curl/CVE-2026-6429.patch | 362 ++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 363 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> new file mode 100644
> index 0000000000..f4398e00f6
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> @@ -0,0 +1,362 @@
> +From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 16 Apr 2026 14:26:20 +0200
> +Subject: [PATCH] http: clear credentials better on redirect
> +
> +Verify with test 2506: netrc with redirect using proxy
> +
> +Updated test 998 which was wrong.
> +
> +Reported-by: Muhamad Arga Reksapati
> +
> +Closes #21345
> +
> +CVE: CVE-2026-6429
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306]
> +
> +Backport Changes:
> +- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin comparison is kept inline in Curl_http_follow().
> +- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement for the wrynose test lists.
> +
> +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + lib/http.c | 121 +++++++++++++++++++------------------
> + tests/data/Makefile.am | 2 +-
> + tests/data/test2506 | 64 ++++++++++++++++++++
> + tests/data/test998 | 1 -
> + tests/libtest/Makefile.inc | 2 +-
> + tests/libtest/lib2506.c | 71 ++++++++++++++++++++++
> + 6 files changed, 198 insertions(+), 63 deletions(-)
> + create mode 100644 tests/data/test2506
> + create mode 100644 tests/libtest/lib2506.c
> +
> +diff --git a/lib/http.c b/lib/http.c
> +index b960d79..9ac96ad 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
> + return CURLE_OUT_OF_MEMORY;
> + }
> + else {
> +- uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> +- if(uc)
> +- return Curl_uc_to_curlcode(uc);
> +-
> +- /* Clear auth if this redirects to a different port number or protocol,
> +- unless permitted */
> +- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
> +- int port;
> +- bool clear = FALSE;
> ++ bool same_origin;
> ++ CURLcode result;
> ++ CURLU *u = curl_url();
> ++ char *oldscheme = NULL;
> ++ char *oldhost = NULL;
> ++ char *oldport = NULL;
> ++ char *newscheme = NULL;
> ++ char *newhost = NULL;
> ++ char *newport = NULL;
> ++ if(!u)
> ++ return CURLE_OUT_OF_MEMORY;
> +
> +- if(data->set.use_port && data->state.allow_port)
> +- /* a custom port is used */
> +- port = (int)data->set.use_port;
> +- else {
> +- curl_off_t value;
> +- char *portnum;
> +- const char *p;
> +- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
> +- CURLU_DEFAULT_PORT);
> +- if(uc) {
> +- curlx_free(follow_url);
> +- return Curl_uc_to_curlcode(uc);
> +- }
> +- p = portnum;
> +- curlx_str_number(&p, &value, 0xffff);
> +- port = (int)value;
> +- curlx_free(portnum);
> +- }
> +- if(port != data->info.conn_remote_port) {
> +- infof(data, "Clear auth, redirects to port from %u to %u",
> +- data->info.conn_remote_port, port);
> +- clear = TRUE;
> +- }
> +- else {
> +- char *scheme;
> +- const struct Curl_scheme *p;
> +- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
> +- if(uc) {
> +- curlx_free(follow_url);
> +- return Curl_uc_to_curlcode(uc);
> +- }
> ++ uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
> ++ CURLU_URLENCODE | CURLU_ALLOW_SPACE);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport,
> ++ CURLU_DEFAULT_PORT);
> ++ if(uc) {
> ++ curl_url_cleanup(u);
> ++ curlx_free(oldscheme);
> ++ curlx_free(oldhost);
> ++ curlx_free(oldport);
> ++ curlx_free(newscheme);
> ++ curlx_free(newhost);
> ++ curlx_free(newport);
> ++ curlx_free(follow_url);
> ++ return Curl_uc_to_curlcode(uc);
> ++ }
> +
> +- p = Curl_get_scheme(scheme);
> +- if(p && (p->protocol != data->info.conn_protocol)) {
> +- infof(data, "Clear auth, redirects scheme from %s to %s",
> +- data->info.conn_scheme, scheme);
> +- clear = TRUE;
> +- }
> +- curlx_free(scheme);
> +- }
> +- if(clear) {
> +- CURLcode result = Curl_reset_userpwd(data);
> +- if(result) {
> +- curlx_free(follow_url);
> +- return result;
> +- }
> +- Curl_safefree(data->state.aptr.user);
> +- Curl_safefree(data->state.aptr.passwd);
> ++ same_origin = strcasecompare(oldscheme, newscheme) &&
> ++ strcasecompare(oldhost, newhost) &&
> ++ !strcmp(oldport, newport);
That code (which is not in the upstream patch) failed to build on my
machine:
$ bitbake curl-native
| ../../sources/curl-8.19.0/lib/http.c:1245:19: error: implicit declaration of function ‘strcasecompare’; did you mean ‘strcasecmp_l’? [-Wimplicit-function-declaration]
| 1245 | same_origin = strcasecompare(oldscheme, newscheme) &&
| | ^~~~~~~~~~~~~~
| | strcasecmp_l
Can you check please?
Thanks!
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-07-03 9:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 8:55 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 9:38 ` Yoann Congal [this message]
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJOU3MGL8GSH.27D0R685LL2P1@smile.fr \
--to=yoann.congal@smile.fr \
--cc=adongare@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.