* [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873
@ 2026-06-29 13:14 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (4 more replies)
0 siblings, 5 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
- CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with
clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required
transfer.
- In wrynose, these protocols are optional PACKAGECONFIG entries and are not
enabled by default in curl_8.19.0.bb, so record this CVE as configuration-not-applicable
for the default recipe configuration.
Reference:
- https://curl.se/docs/CVE-2026-4873.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-4873
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..41e6888977 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -27,6 +27,7 @@ SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d33
# Curl has used many names over the years...
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack"
+CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}"
inherit autotools pkgconfig binconfig multilib_header ptest
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (3 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Backport the upstream fix [1] for the Negotiate-authenticated connection
reuse issue described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd
[2] https://curl.se/docs/CVE-2026-5545.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-5545
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
.../curl/curl/CVE-2026-5545.patch | 46 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5545.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5545.patch b/meta/recipes-support/curl/curl/CVE-2026-5545.patch
new file mode 100644
index 0000000000..86a63c6738
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5545.patch
@@ -0,0 +1,46 @@
+From 33e43985b8f3b9e66691d06e70be0395849856cd Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Thu, 2 Apr 2026 11:33:39 +0200
+Subject: [PATCH] url: improve connection reuse on negotiate
+
+Check state of negotiate to allow proper connection reuse.
+
+Closes #21203
+
+CVE: CVE-2026-5545
+Upstream-Status: Backport [https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd]
+
+(cherry picked from commit 33e43985b8f3b9e66691d06e70be0395849856cd)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/url.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index b9e308a..7c24f1a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1110,11 +1110,17 @@ static bool url_match_auth_ntlm(struct connectdata *conn,
+ if(m->want_ntlm_http) {
+ if(Curl_timestrcmp(m->needle->user, conn->user) ||
+ Curl_timestrcmp(m->needle->passwd, conn->passwd)) {
+-
+ /* we prefer a credential match, but this is at least a connection
+- that can be reused and "upgraded" to NTLM */
+- if(conn->http_ntlm_state == NTLMSTATE_NONE)
++ that can be reused and "upgraded" to NTLM if it does
++ not have any auth ongoing. */
++#ifdef USE_SPNEGO
++ if((conn->http_ntlm_state == NTLMSTATE_NONE)
++ && (conn->http_negotiate_state == GSS_AUTHNONE)) {
++#else
++ if(conn->http_ntlm_state == NTLMSTATE_NONE) {
++#endif
+ m->found = conn;
++ }
+ return FALSE;
+ }
+ }
+--
+2.43.7
+
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 41e6888977..2b1bc40e37 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5545.patch \
file://mbedtls.patch \
"
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 8:55 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (2 subsequent siblings)
4 siblings, 1 reply; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
- CVE-2026-5773 affects curl before 8.20.0 when an authenticated SMB connection
can be reused for a different set of credentials.
- In wrynose, SMB support is available only through PACKAGECONFIG[smb] and is not
enabled by default, so record this CVE as configuration-not-applicable for the
default recipe configuration.
Reference:
- https://curl.se/docs/CVE-2026-5773.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-5773
- https://github.com/openembedded/openembedded-core/blob/wrynose/meta/recipes-support/curl/curl_8.19.0.bb
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 2b1bc40e37..5580791ec8 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -29,6 +29,7 @@ SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d33
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack"
CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}"
+CVE_STATUS[CVE-2026-5773] = "${@bb.utils.contains('PACKAGECONFIG', 'smb', 'unpatched', 'not-applicable-config: smb support is not enabled in PACKAGECONFIG', d)}"
inherit autotools pkgconfig binconfig multilib_header ptest
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
4 siblings, 0 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Backport the upstream fix [1] for the proxy credential leak on redirect
described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f
[2] https://curl.se/docs/CVE-2026-6253.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-6253
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
.../curl/curl/CVE-2026-6253.patch | 392 ++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 393 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6253.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-6253.patch b/meta/recipes-support/curl/curl/CVE-2026-6253.patch
new file mode 100644
index 0000000000..3923ba9372
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-6253.patch
@@ -0,0 +1,392 @@
+From 188c2f166a20fa97c2325b2da7d0e5cecc13725f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 13 Apr 2026 17:17:23 +0200
+Subject: [PATCH] http: clear the proxy credentials as well on port or scheme
+ change
+
+Add tests 2009-2011 to verify switching between proxies with credentials
+when the switch is driven by a redirect
+
+Reported-by: Dwij Mehta
+
+Closes #21304
+
+CVE: CVE-2026-6253
+Upstream-Status: Backport [https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f]
+
+Backport Changes:
+- Adapted the redirect credential reset hunk to curl 8.19.0 Curl_http_follow() after the existing wrynose CVE-2026-6276 backport.
+- Adapted tests/data/Makefile.am placement for the wrynose test list.
+
+(cherry picked from commit 188c2f166a20fa97c2325b2da7d0e5cecc13725f)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/http.c | 12 +++++++
+ lib/transfer.c | 51 +++++++++++++++++++++---------
+ lib/transfer.h | 2 ++
+ tests/data/Makefile.am | 1 +
+ tests/data/test2009 | 70 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test2010 | 71 ++++++++++++++++++++++++++++++++++++++++++
+ tests/data/test2011 | 70 +++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 262 insertions(+), 15 deletions(-)
+ create mode 100644 tests/data/test2009
+ create mode 100644 tests/data/test2010
+ create mode 100644 tests/data/test2011
+
+diff --git a/lib/http.c b/lib/http.c
+index 7ebbdfa..b960d79 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -1252,12 +1252,24 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
+ curlx_free(scheme);
+ }
+ if(clear) {
++ CURLcode result = Curl_reset_userpwd(data);
++ if(result) {
++ curlx_free(follow_url);
++ return result;
++ }
+ Curl_safefree(data->state.aptr.user);
+ Curl_safefree(data->state.aptr.passwd);
+ }
+ }
+ }
+ DEBUGASSERT(follow_url);
++ {
++ CURLcode result = Curl_reset_proxypwd(data);
++ if(result) {
++ curlx_free(follow_url);
++ return result;
++ }
++ }
+
+ if(type == FOLLOW_FAKE) {
+ /* we are only figuring out the new URL if we would have followed locations
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 6dd2f52..af5bee2 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -439,6 +439,40 @@ void Curl_init_CONNECT(struct Curl_easy *data)
+ data->state.upload = (data->state.httpreq == HTTPREQ_PUT);
+ }
+
++/*
++ * Restore the user credentials to those set in options.
++ */
++CURLcode Curl_reset_userpwd(struct Curl_easy *data)
++{
++ CURLcode result;
++ if(data->set.str[STRING_USERNAME] || data->set.str[STRING_PASSWORD])
++ data->state.creds_from = CREDS_OPTION;
++ result = Curl_setstropt(&data->state.aptr.user,
++ data->set.str[STRING_USERNAME]);
++ if(!result)
++ result = Curl_setstropt(&data->state.aptr.passwd,
++ data->set.str[STRING_PASSWORD]);
++ return result;
++}
++
++/*
++ * Restore the proxy credentials to those set in options.
++ */
++CURLcode Curl_reset_proxypwd(struct Curl_easy *data)
++{
++#ifndef CURL_DISABLE_PROXY
++ CURLcode result = Curl_setstropt(&data->state.aptr.proxyuser,
++ data->set.str[STRING_PROXYUSERNAME]);
++ if(!result)
++ result = Curl_setstropt(&data->state.aptr.proxypasswd,
++ data->set.str[STRING_PROXYPASSWORD]);
++ return result;
++#else
++ (void)data;
++ return CURLE_OK;
++#endif
++}
++
+ /*
+ * Curl_pretransfer() is called immediately before a transfer starts, and only
+ * once for one transfer no matter if it has redirects or do multi-pass
+@@ -584,23 +618,10 @@ CURLcode Curl_pretransfer(struct Curl_easy *data)
+ return CURLE_OUT_OF_MEMORY;
+ }
+
+- if(data->set.str[STRING_USERNAME] ||
+- data->set.str[STRING_PASSWORD])
+- data->state.creds_from = CREDS_OPTION;
+ if(!result)
+- result = Curl_setstropt(&data->state.aptr.user,
+- data->set.str[STRING_USERNAME]);
++ result = Curl_reset_userpwd(data);
+ if(!result)
+- result = Curl_setstropt(&data->state.aptr.passwd,
+- data->set.str[STRING_PASSWORD]);
+-#ifndef CURL_DISABLE_PROXY
+- if(!result)
+- result = Curl_setstropt(&data->state.aptr.proxyuser,
+- data->set.str[STRING_PROXYUSERNAME]);
+- if(!result)
+- result = Curl_setstropt(&data->state.aptr.proxypasswd,
+- data->set.str[STRING_PROXYPASSWORD]);
+-#endif
++ result = Curl_reset_proxypwd(data);
+
+ data->req.headerbytecount = 0;
+ Curl_headers_cleanup(data);
+diff --git a/lib/transfer.h b/lib/transfer.h
+index 05a5f89..131e31a 100644
+--- a/lib/transfer.h
++++ b/lib/transfer.h
+@@ -31,6 +31,8 @@ char *Curl_checkheaders(const struct Curl_easy *data,
+
+ void Curl_init_CONNECT(struct Curl_easy *data);
+
++CURLcode Curl_reset_userpwd(struct Curl_easy *data);
++CURLcode Curl_reset_proxypwd(struct Curl_easy *data);
+ CURLcode Curl_pretransfer(struct Curl_easy *data);
+
+ CURLcode Curl_sendrecv(struct Curl_easy *data);
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index da0f8f5..00a5221 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -244,6 +244,7 @@ test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 \
+ test1978 test1979 test1980 test1981 \
+ \
+ test2000 test2001 test2002 test2003 test2004 test2005 test2006 \
++test2009 test2010 test2011 \
+ \
+ test2023 \
+ test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \
+diff --git a/tests/data/test2009 b/tests/data/test2009
+new file mode 100644
+index 0000000..d2fd79e
+--- /dev/null
++++ b/tests/data/test2009
+@@ -0,0 +1,70 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++http_proxy
++</keywords>
++</info>
++# Server-side
++<reply>
++<connect>
++HTTP/1.1 407 Denied
++
++</connect>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Content-Type: text/html
++Location: https://another.example/%TESTNUMBER0002
++
++boo
++</data>
++</reply>
++
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++https
++</server>
++<name>
++proxy credentials via env variables, redirect from http to https
++</name>
++
++<setenv>
++http_proxy=http://user:secret@%HOSTIP:%HTTPPORT
++https_proxy=https://%HOSTIP:%HTTPSPORT/
++</setenv>
++<command>
++http://somewhere.example/ --follow --proxy-insecure
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET http://somewhere.example/ HTTP/1.1
++Host: somewhere.example
++Proxy-Authorization: Basic %b64[user:secret]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++CONNECT another.example:443 HTTP/1.1
++Host: another.example:443
++User-Agent: curl/%VERSION
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<errorcode>
++7
++</errorcode>
++</verify>
++</testcase>
+diff --git a/tests/data/test2010 b/tests/data/test2010
+new file mode 100644
+index 0000000..443ae9d
+--- /dev/null
++++ b/tests/data/test2010
+@@ -0,0 +1,71 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++http_proxy
++</keywords>
++</info>
++# Server-side
++<reply>
++<connect>
++HTTP/1.1 407 Denied
++
++</connect>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Content-Type: text/html
++Location: https://another.example/%TESTNUMBER0002
++
++boo
++</data>
++</reply>
++
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++https
++</server>
++<name>
++proxy credentials via options for two proxies, redirect from http to https
++</name>
++
++<setenv>
++http_proxy=http://%HOSTIP:%HTTPPORT
++https_proxy=https://%HOSTIP:%HTTPSPORT/
++</setenv>
++<command>
++--proxy-user batman:robin http://somewhere.example/ --follow --proxy-insecure
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET http://somewhere.example/ HTTP/1.1
++Host: somewhere.example
++Proxy-Authorization: Basic %b64[batman:robin]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++CONNECT another.example:443 HTTP/1.1
++Host: another.example:443
++Proxy-Authorization: Basic %b64[batman:robin]b64%
++User-Agent: curl/%VERSION
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<errorcode>
++7
++</errorcode>
++</verify>
++</testcase>
+diff --git a/tests/data/test2011 b/tests/data/test2011
+new file mode 100644
+index 0000000..dd4e534
+--- /dev/null
++++ b/tests/data/test2011
+@@ -0,0 +1,70 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++http_proxy
++</keywords>
++</info>
++# Server-side
++<reply>
++<connect>
++HTTP/1.1 407 Denied
++
++</connect>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Content-Type: text/html
++Location: https://another.example/%TESTNUMBER0002
++
++boo
++</data>
++</reply>
++
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++https
++</server>
++<name>
++proxy creds via env, cross-scheme redirect, --location-trusted
++</name>
++
++<setenv>
++http_proxy=http://user:secret@%HOSTIP:%HTTPPORT
++https_proxy=https://%HOSTIP:%HTTPSPORT/
++</setenv>
++<command>
++http://somewhere.example/ --location-trusted --proxy-insecure
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET http://somewhere.example/ HTTP/1.1
++Host: somewhere.example
++Proxy-Authorization: Basic %b64[user:secret]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++CONNECT another.example:443 HTTP/1.1
++Host: another.example:443
++User-Agent: curl/%VERSION
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<errorcode>
++7
++</errorcode>
++</verify>
++</testcase>
+--
+2.43.7
+
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 5580791ec8..09e93c8ce5 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
file://CVE-2026-5545.patch \
+ file://CVE-2026-6253.patch \
file://mbedtls.patch \
"
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (2 preceding siblings ...)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 9:38 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
4 siblings, 1 reply; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Backport the upstream fix [1] for the netrc credential leak on redirect
described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
[2] https://curl.se/docs/CVE-2026-6429.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
.../curl/curl/CVE-2026-6429.patch | 362 ++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 363 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
new file mode 100644
index 0000000000..f4398e00f6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
@@ -0,0 +1,362 @@
+From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2026 14:26:20 +0200
+Subject: [PATCH] http: clear credentials better on redirect
+
+Verify with test 2506: netrc with redirect using proxy
+
+Updated test 998 which was wrong.
+
+Reported-by: Muhamad Arga Reksapati
+
+Closes #21345
+
+CVE: CVE-2026-6429
+Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306]
+
+Backport Changes:
+- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin comparison is kept inline in Curl_http_follow().
+- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement for the wrynose test lists.
+
+(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/http.c | 121 +++++++++++++++++++------------------
+ tests/data/Makefile.am | 2 +-
+ tests/data/test2506 | 64 ++++++++++++++++++++
+ tests/data/test998 | 1 -
+ tests/libtest/Makefile.inc | 2 +-
+ tests/libtest/lib2506.c | 71 ++++++++++++++++++++++
+ 6 files changed, 198 insertions(+), 63 deletions(-)
+ create mode 100644 tests/data/test2506
+ create mode 100644 tests/libtest/lib2506.c
+
+diff --git a/lib/http.c b/lib/http.c
+index b960d79..9ac96ad 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
+ return CURLE_OUT_OF_MEMORY;
+ }
+ else {
+- uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
+- if(uc)
+- return Curl_uc_to_curlcode(uc);
+-
+- /* Clear auth if this redirects to a different port number or protocol,
+- unless permitted */
+- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
+- int port;
+- bool clear = FALSE;
++ bool same_origin;
++ CURLcode result;
++ CURLU *u = curl_url();
++ char *oldscheme = NULL;
++ char *oldhost = NULL;
++ char *oldport = NULL;
++ char *newscheme = NULL;
++ char *newhost = NULL;
++ char *newport = NULL;
++ if(!u)
++ return CURLE_OUT_OF_MEMORY;
+
+- if(data->set.use_port && data->state.allow_port)
+- /* a custom port is used */
+- port = (int)data->set.use_port;
+- else {
+- curl_off_t value;
+- char *portnum;
+- const char *p;
+- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
+- CURLU_DEFAULT_PORT);
+- if(uc) {
+- curlx_free(follow_url);
+- return Curl_uc_to_curlcode(uc);
+- }
+- p = portnum;
+- curlx_str_number(&p, &value, 0xffff);
+- port = (int)value;
+- curlx_free(portnum);
+- }
+- if(port != data->info.conn_remote_port) {
+- infof(data, "Clear auth, redirects to port from %u to %u",
+- data->info.conn_remote_port, port);
+- clear = TRUE;
+- }
+- else {
+- char *scheme;
+- const struct Curl_scheme *p;
+- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
+- if(uc) {
+- curlx_free(follow_url);
+- return Curl_uc_to_curlcode(uc);
+- }
++ uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
++ CURLU_URLENCODE | CURLU_ALLOW_SPACE);
++ if(!uc)
++ uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT);
++ if(!uc)
++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0);
++ if(!uc)
++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0);
++ if(!uc)
++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport,
++ CURLU_DEFAULT_PORT);
++ if(uc) {
++ curl_url_cleanup(u);
++ curlx_free(oldscheme);
++ curlx_free(oldhost);
++ curlx_free(oldport);
++ curlx_free(newscheme);
++ curlx_free(newhost);
++ curlx_free(newport);
++ curlx_free(follow_url);
++ return Curl_uc_to_curlcode(uc);
++ }
+
+- p = Curl_get_scheme(scheme);
+- if(p && (p->protocol != data->info.conn_protocol)) {
+- infof(data, "Clear auth, redirects scheme from %s to %s",
+- data->info.conn_scheme, scheme);
+- clear = TRUE;
+- }
+- curlx_free(scheme);
+- }
+- if(clear) {
+- CURLcode result = Curl_reset_userpwd(data);
+- if(result) {
+- curlx_free(follow_url);
+- return result;
+- }
+- Curl_safefree(data->state.aptr.user);
+- Curl_safefree(data->state.aptr.passwd);
++ same_origin = strcasecompare(oldscheme, newscheme) &&
++ strcasecompare(oldhost, newhost) &&
++ !strcmp(oldport, newport);
++
++ curl_url_cleanup(u);
++ curlx_free(oldscheme);
++ curlx_free(oldhost);
++ curlx_free(oldport);
++ curlx_free(newscheme);
++ curlx_free(newhost);
++ curlx_free(newport);
++
++ if((!same_origin && !data->set.allow_auth_to_other_hosts) ||
++ !data->set.str[STRING_USERNAME]) {
++ result = Curl_reset_userpwd(data);
++ if(result) {
++ curlx_free(follow_url);
++ return result;
+ }
++ Curl_safefree(data->state.aptr.user);
++ Curl_safefree(data->state.aptr.passwd);
+ }
+- }
+- DEBUGASSERT(follow_url);
+- {
+- CURLcode result = Curl_reset_proxypwd(data);
++ result = Curl_reset_proxypwd(data);
+ if(result) {
+ curlx_free(follow_url);
+ return result;
+ }
+ }
++ DEBUGASSERT(follow_url);
+
+ if(type == FOLLOW_FAKE) {
+ /* we are only figuring out the new URL if we would have followed locations
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index 00a5221..1b76b01 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -265,7 +265,7 @@ test2309 \
+ \
+ test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 \
+ \
+-test2500 test2501 test2502 test2503 test2504 \
++test2500 test2501 test2502 test2503 test2504 test2506 \
+ \
+ test2600 test2601 test2602 test2603 test2604 test2605 \
+ \
+diff --git a/tests/data/test2506 b/tests/data/test2506
+new file mode 100644
+index 0000000..9c65002
+--- /dev/null
++++ b/tests/data/test2506
+@@ -0,0 +1,64 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++cookies
++</keywords>
++</info>
++
++<reply>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Content-Length: 3
++Location: http://numbertwo.example/%TESTNUMBER0002
++
++ok
++</data>
++<data2 crlf="headers" nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Content-Length: 4
++
++yes
++</data2>
++</reply>
++
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<tool>
++lib%TESTNUMBER
++</tool>
++<name>
++netrc with redirect using proxy
++</name>
++<file name="%LOGDIR/netrc2506">
++machine site.example login batman password robin
++</file>
++<command>
++http://%HOSTIP:%HTTPPORT http://site.example/ %LOGDIR/netrc2506
++</command>
++</client>
++
++<verify>
++<protocol crlf="headers">
++GET http://site.example/ HTTP/1.1
++Host: site.example
++Authorization: Basic %b64[batman:robin]b64%
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://numbertwo.example/25060002 HTTP/1.1
++Host: numbertwo.example
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test998 b/tests/data/test998
+index 24d1d3d..56dbc0c 100644
+--- a/tests/data/test998
++++ b/tests/data/test998
+@@ -77,7 +77,6 @@ Proxy-Connection: Keep-Alive
+
+ GET http://somewhere.else.example/a/path/9980002 HTTP/1.1
+ Host: somewhere.else.example
+-Authorization: Basic %b64[alberto:einstein]b64%
+ User-Agent: curl/%VERSION
+ Accept: */*
+ Proxy-Connection: Keep-Alive
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 2319baf..2f77c16 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -113,7 +113,7 @@ TESTS_C = \
+ lib2023.c lib2032.c lib2082.c \
+ lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c \
+ lib2402.c lib2404.c lib2405.c \
+- lib2502.c lib2504.c \
++ lib2502.c lib2504.c lib2506.c \
+ lib2700.c \
+ lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c \
+ lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c \
+diff --git a/tests/libtest/lib2506.c b/tests/libtest/lib2506.c
+new file mode 100644
+index 0000000..8b3b342
+--- /dev/null
++++ b/tests/libtest/lib2506.c
+@@ -0,0 +1,71 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Linus Nielsen Feltzing <linus@haxx.se>
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++#include "first.h"
++
++#include "testtrace.h"
++
++static size_t sink2506(char *ptr, size_t size, size_t nmemb, void *ud)
++{
++ (void)ptr;
++ (void)ud;
++ return size * nmemb;
++}
++
++static CURLcode test_lib2506(const char *URL)
++{
++ CURL *curl;
++ CURLcode result = CURLE_OUT_OF_MEMORY;
++
++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
++ curl_mfprintf(stderr, "curl_global_init() failed\n");
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ curl = curl_easy_init();
++ if(!curl) {
++ curl_mfprintf(stderr, "curl_easy_init() failed\n");
++ curl_global_cleanup();
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ test_setopt(curl, CURLOPT_WRITEFUNCTION, sink2506);
++ test_setopt(curl, CURLOPT_PROXY, URL);
++ test_setopt(curl, CURLOPT_URL, libtest_arg2);
++ test_setopt(curl, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
++ test_setopt(curl, CURLOPT_NETRC_FILE, libtest_arg3);
++ test_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
++ test_setopt(curl, CURLOPT_VERBOSE, 1L);
++
++ /* CURLOPT_UNRESTRICTED_AUTH should not make a difference because the
++ credentials come from netrc */
++ test_setopt(curl, CURLOPT_UNRESTRICTED_AUTH, 1L);
++
++ result = curl_easy_perform(curl);
++
++test_cleanup:
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++
++ return result;
++}
+--
+2.43.7
+
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 09e93c8ce5..6c31978519 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
file://CVE-2026-6276.patch \
file://CVE-2026-5545.patch \
file://CVE-2026-6253.patch \
+ file://CVE-2026-6429.patch \
file://mbedtls.patch \
"
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (3 preceding siblings ...)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
4 siblings, 0 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Backport the upstream fix [1] for proxy Digest state reuse across proxy
switches described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507
[2] https://curl.se/docs/CVE-2026-7168.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-7168
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
.../curl/curl/CVE-2026-7168.patch | 375 ++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 376 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-7168.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-7168.patch b/meta/recipes-support/curl/curl/CVE-2026-7168.patch
new file mode 100644
index 0000000000..432dad62c6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-7168.patch
@@ -0,0 +1,375 @@
+From c1cfdf59acbaf9504c4578d4cf56cdd7c8594507 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 27 Apr 2026 09:14:51 +0200
+Subject: [PATCH] setopt: clear proxy auth properties when switching
+
+Verify with test 1588
+
+Closes #21453
+
+CVE: CVE-2026-7168
+Upstream-Status: Backport [https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507]
+
+Backport Changes:
+- Adapted setproxy() insertion and test-list placement to the curl 8.19.0 wrynose layout.
+
+(cherry picked from commit c1cfdf59acbaf9504c4578d4cf56cdd7c8594507)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/setopt.c | 14 +++-
+ lib/vauth/vauth.h | 1 +
+ tests/data/Makefile.am | 2 +-
+ tests/data/test1588 | 106 ++++++++++++++++++++++++++
+ tests/libtest/Makefile.inc | 2 +-
+ tests/libtest/lib1588.c | 150 +++++++++++++++++++++++++++++++++++++
+ 6 files changed, 272 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test1588
+ create mode 100644 tests/libtest/lib1588.c
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 84f3e02..d12ffb6 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -49,6 +49,7 @@
+ #include "curlx/strdup.h"
+ #include "escape.h"
+ #include "bufref.h"
++#include "vauth/vauth.h"
+
+ static CURLcode setopt_set_timeout_sec(timediff_t *ptimeout_ms, long secs)
+ {
+@@ -1664,6 +1665,17 @@ static CURLcode cookiefile(struct Curl_easy *data, const char *ptr)
+ #endif
+
+ #ifndef CURL_DISABLE_PROXY
++static CURLcode setproxy(struct Curl_easy *data, const char *proxy)
++{
++ if((data->set.str[STRING_PROXY] && proxy) &&
++ !strcmp(data->set.str[STRING_PROXY], proxy))
++ return CURLE_OK;
++
++ Curl_auth_digest_cleanup(&data->state.proxydigest);
++ memset(&data->state.authproxy, 0, sizeof(data->state.authproxy));
++ return Curl_setstropt(&data->set.str[STRING_PROXY], proxy);
++}
++
+ static CURLcode setopt_cptr_proxy(struct Curl_easy *data, CURLoption option,
+ const char *ptr)
+ {
+@@ -1759,7 +1771,7 @@ static CURLcode setopt_cptr_proxy(struct Curl_easy *data, CURLoption option,
+ * Setting it to NULL, means no proxy but allows the environment variables
+ * to decide for us (if CURLOPT_SOCKS_PROXY setting it to NULL).
+ */
+- return Curl_setstropt(&s->str[STRING_PROXY], ptr);
++ return setproxy(data, ptr);
+ case CURLOPT_PRE_PROXY:
+ /*
+ * Set proxy server:port to use as SOCKS proxy.
+diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h
+index 3e66c89..20ee51e 100644
+--- a/lib/vauth/vauth.h
++++ b/lib/vauth/vauth.h
+@@ -117,6 +117,7 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
+ /* This is used to clean up the digest specific data */
+ void Curl_auth_digest_cleanup(struct digestdata *digest);
+ #else
++#define Curl_auth_digest_cleanup(x)
+ #define Curl_auth_is_digest_supported() FALSE
+ #endif /* !CURL_DISABLE_DIGEST_AUTH */
+
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index 1b76b01..1e84b26 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -208,7 +208,7 @@ test1548 test1549 test1550 test1551 test1552 test1553 test1554 test1555 \
+ test1556 test1557 test1558 test1559 test1560 test1561 test1562 test1563 \
+ test1564 test1565 test1566 test1567 test1568 test1569 test1570 test1571 \
+ test1572 test1573 test1574 test1575 test1576 test1577 test1578 test1579 \
+-test1580 test1581 test1582 test1583 test1584 test1585 \
++test1580 test1581 test1582 test1583 test1584 test1585 test1588 \
+ \
+ test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 \
+ test1598 test1599 test1600 test1601 test1602 test1603 test1604 test1605 \
+diff --git a/tests/data/test1588 b/tests/data/test1588
+new file mode 100644
+index 0000000..753e98c
+--- /dev/null
++++ b/tests/data/test1588
+@@ -0,0 +1,106 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++HTTP proxy
++HTTP proxy Digest auth
++multi
++</keywords>
++</info>
++
++# Server-side
++<reply>
++
++# this is returned first since we get no proxy-auth
++<data crlf="headers">
++HTTP/1.1 407 Authorization Required to proxy me my dear
++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345"
++Content-Length: 33
++
++And you should ignore this data.
++</data>
++
++# then this is returned when we get proxy-auth
++<data1000 crlf="headers">
++HTTP/1.1 200 OK
++Content-Length: 21
++Server: no
++
++Nice proxy auth sir!
++</data1000>
++
++<datacheck crlf="headers">
++HTTP/1.1 407 Authorization Required to proxy me my dear
++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345"
++Content-Length: 33
++
++HTTP/1.1 200 OK
++Content-Length: 21
++Server: no
++
++Nice proxy auth sir!
++HTTP/1.1 407 Authorization Required to proxy me my dear
++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345"
++Content-Length: 33
++
++HTTP/1.1 200 OK
++Content-Length: 21
++Server: no
++
++Nice proxy auth sir!
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++# tool is what to use instead of 'curl'
++<tool>
++lib%TESTNUMBER
++</tool>
++<features>
++!SSPI
++crypto
++proxy
++digest
++</features>
++<name>
++HTTP proxy auth Digest, then change proxy and do it again
++</name>
++<command>
++http://test.remote.example.com/path/%TESTNUMBER %HOSTIP %HTTPPORT silly:person custom.set.host.name
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET http://test.remote.example.com/path/1588 HTTP/1.1
++Host: test.remote.example.com
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://test.remote.example.com/path/1588 HTTP/1.1
++Host: test.remote.example.com
++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a"
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://test.remote.example.com/path/1588 HTTP/1.1
++Host: test.remote.example.com
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://test.remote.example.com/path/1588 HTTP/1.1
++Host: test.remote.example.com
++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a"
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 2f77c16..96b82bc 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -97,7 +97,7 @@ TESTS_C = \
+ lib1559.c lib1560.c lib1564.c lib1565.c \
+ lib1567.c lib1568.c lib1569.c lib1571.c \
+ lib1576.c \
+- lib1582.c \
++ lib1582.c lib1588.c \
+ lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c \
+ lib1598.c lib1599.c \
+ lib1662.c \
+diff --git a/tests/libtest/lib1588.c b/tests/libtest/lib1588.c
+new file mode 100644
+index 0000000..9b12f36
+--- /dev/null
++++ b/tests/libtest/lib1588.c
+@@ -0,0 +1,150 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++/*
++ * argv1 = URL
++ * argv2 = proxy host
++ * argv3 = proxy port
++ * argv4 = proxyuser:password
++ */
++
++#include "first.h"
++
++static CURLcode init1588(CURL *curl, const char *url,
++ const char *userpwd, const char *proxy)
++{
++ CURLcode result = CURLE_OK;
++
++ res_easy_setopt(curl, CURLOPT_URL, url);
++ if(result)
++ goto init_failed;
++
++ res_easy_setopt(curl, CURLOPT_PROXY, proxy);
++ if(result)
++ goto init_failed;
++
++ res_easy_setopt(curl, CURLOPT_PROXYUSERPWD, userpwd);
++ if(result)
++ goto init_failed;
++
++ res_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST);
++ if(result)
++ goto init_failed;
++
++ res_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
++ if(result)
++ goto init_failed;
++#if 0
++ res_easy_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
++ if(result)
++ goto init_failed;
++#endif
++
++ res_easy_setopt(curl, CURLOPT_HEADER, 1L);
++ if(result)
++ goto init_failed;
++
++ return CURLE_OK; /* success */
++
++init_failed:
++ return result; /* failure */
++}
++
++static CURLcode run1588(CURL *curl, const char *url, const char *userpwd,
++ const char *proxy)
++{
++ CURLcode result = CURLE_OK;
++
++ result = init1588(curl, url, userpwd, proxy);
++ if(result)
++ return result;
++
++ return curl_easy_perform(curl);
++}
++
++static CURLcode test_lib1588(const char *URL)
++{
++ CURLcode result = CURLE_OK;
++ CURL *curl = NULL;
++ const char *proxyuserpws = libtest_arg4;
++ struct curl_slist *host = NULL;
++ struct curl_slist *host2 = NULL;
++ char proxy1_resolve[128];
++ char proxy2_resolve[128];
++ char proxy1_connect[128];
++ char proxy2_connect[128];
++
++ if(test_argc < 3)
++ return TEST_ERR_MAJOR_BAD;
++
++ curl_msnprintf(proxy1_resolve, sizeof(proxy1_resolve),
++ "firstproxy:%s:%s", libtest_arg3, libtest_arg2);
++ curl_msnprintf(proxy2_resolve, sizeof(proxy2_resolve),
++ "secondproxy:%s:%s", libtest_arg3, libtest_arg2);
++
++ /* we connect to the fake host name but the right port number */
++ curl_msnprintf(proxy1_connect, sizeof(proxy1_connect),
++ "firstproxy:%s", libtest_arg3);
++ curl_msnprintf(proxy2_connect, sizeof(proxy2_connect),
++ "secondproxy:%s", libtest_arg3);
++
++ res_global_init(CURL_GLOBAL_ALL);
++ if(result)
++ return result;
++
++ curl = curl_easy_init();
++ if(!curl) {
++ curl_mfprintf(stderr, "curl_easy_init() failed\n");
++ curl_global_cleanup();
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ host = curl_slist_append(NULL, proxy1_resolve);
++ if(!host)
++ goto test_cleanup;
++ host2 = curl_slist_append(host, proxy2_resolve);
++ if(!host2)
++ goto test_cleanup;
++ host = host2;
++
++ start_test_timing();
++
++ easy_setopt(curl, CURLOPT_RESOLVE, host);
++
++ result = run1588(curl, URL, proxyuserpws, proxy1_connect);
++ if(result)
++ goto test_cleanup;
++
++ curl_mfprintf(stderr, "lib1588: now we do the request again\n");
++
++ result = run1588(curl, URL, proxyuserpws, proxy2_connect);
++
++test_cleanup:
++
++ /* proper cleanup sequence - type PB */
++
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++ curl_slist_free_all(host);
++ return result;
++}
+--
+2.43.7
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 6c31978519..1fb6e4f3be 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
file://CVE-2026-5545.patch \
file://CVE-2026-6253.patch \
file://CVE-2026-6429.patch \
+ file://CVE-2026-7168.patch \
file://mbedtls.patch \
"
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-07-03 8:55 ` Yoann Congal
0 siblings, 0 replies; 8+ messages in thread
From: Yoann Congal @ 2026-07-03 8:55 UTC (permalink / raw)
To: adongare, openembedded-core; +Cc: xe-linux-external
On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> - CVE-2026-5773 affects curl before 8.20.0 when an authenticated SMB connection
> can be reused for a different set of credentials.
> - In wrynose, SMB support is available only through PACKAGECONFIG[smb] and is not
> enabled by default, so record this CVE as configuration-not-applicable for the
> default recipe configuration.
>
> Reference:
> - https://curl.se/docs/CVE-2026-5773.html
> - https://nvd.nist.gov/vuln/detail/CVE-2026-5773
> - https://github.com/openembedded/openembedded-core/blob/wrynose/meta/recipes-support/curl/curl_8.19.0.bb
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
Hello,
Jaipaul Cheernam is working on fixing this CVE:
https://lore.kernel.org/all/20260624075504.63472-1-jaipaul.cheernam@est.tech/
I will hold your patch for now, maybe you can help Jaipaul get their
patch merged? (like testing/review the future v4)
Thanks!
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-07-03 9:38 ` Yoann Congal
0 siblings, 0 replies; 8+ messages in thread
From: Yoann Congal @ 2026-07-03 9:38 UTC (permalink / raw)
To: adongare, openembedded-core; +Cc: xe-linux-external
On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Backport the upstream fix [1] for the netrc credential leak on redirect
> described in [2] and tracked by [3].
>
> [1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
> [2] https://curl.se/docs/CVE-2026-6429.html
> [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
> .../curl/curl/CVE-2026-6429.patch | 362 ++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 363 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> new file mode 100644
> index 0000000000..f4398e00f6
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> @@ -0,0 +1,362 @@
> +From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 16 Apr 2026 14:26:20 +0200
> +Subject: [PATCH] http: clear credentials better on redirect
> +
> +Verify with test 2506: netrc with redirect using proxy
> +
> +Updated test 998 which was wrong.
> +
> +Reported-by: Muhamad Arga Reksapati
> +
> +Closes #21345
> +
> +CVE: CVE-2026-6429
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306]
> +
> +Backport Changes:
> +- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin comparison is kept inline in Curl_http_follow().
> +- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement for the wrynose test lists.
> +
> +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + lib/http.c | 121 +++++++++++++++++++------------------
> + tests/data/Makefile.am | 2 +-
> + tests/data/test2506 | 64 ++++++++++++++++++++
> + tests/data/test998 | 1 -
> + tests/libtest/Makefile.inc | 2 +-
> + tests/libtest/lib2506.c | 71 ++++++++++++++++++++++
> + 6 files changed, 198 insertions(+), 63 deletions(-)
> + create mode 100644 tests/data/test2506
> + create mode 100644 tests/libtest/lib2506.c
> +
> +diff --git a/lib/http.c b/lib/http.c
> +index b960d79..9ac96ad 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
> + return CURLE_OUT_OF_MEMORY;
> + }
> + else {
> +- uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> +- if(uc)
> +- return Curl_uc_to_curlcode(uc);
> +-
> +- /* Clear auth if this redirects to a different port number or protocol,
> +- unless permitted */
> +- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
> +- int port;
> +- bool clear = FALSE;
> ++ bool same_origin;
> ++ CURLcode result;
> ++ CURLU *u = curl_url();
> ++ char *oldscheme = NULL;
> ++ char *oldhost = NULL;
> ++ char *oldport = NULL;
> ++ char *newscheme = NULL;
> ++ char *newhost = NULL;
> ++ char *newport = NULL;
> ++ if(!u)
> ++ return CURLE_OUT_OF_MEMORY;
> +
> +- if(data->set.use_port && data->state.allow_port)
> +- /* a custom port is used */
> +- port = (int)data->set.use_port;
> +- else {
> +- curl_off_t value;
> +- char *portnum;
> +- const char *p;
> +- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
> +- CURLU_DEFAULT_PORT);
> +- if(uc) {
> +- curlx_free(follow_url);
> +- return Curl_uc_to_curlcode(uc);
> +- }
> +- p = portnum;
> +- curlx_str_number(&p, &value, 0xffff);
> +- port = (int)value;
> +- curlx_free(portnum);
> +- }
> +- if(port != data->info.conn_remote_port) {
> +- infof(data, "Clear auth, redirects to port from %u to %u",
> +- data->info.conn_remote_port, port);
> +- clear = TRUE;
> +- }
> +- else {
> +- char *scheme;
> +- const struct Curl_scheme *p;
> +- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
> +- if(uc) {
> +- curlx_free(follow_url);
> +- return Curl_uc_to_curlcode(uc);
> +- }
> ++ uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
> ++ CURLU_URLENCODE | CURLU_ALLOW_SPACE);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport,
> ++ CURLU_DEFAULT_PORT);
> ++ if(uc) {
> ++ curl_url_cleanup(u);
> ++ curlx_free(oldscheme);
> ++ curlx_free(oldhost);
> ++ curlx_free(oldport);
> ++ curlx_free(newscheme);
> ++ curlx_free(newhost);
> ++ curlx_free(newport);
> ++ curlx_free(follow_url);
> ++ return Curl_uc_to_curlcode(uc);
> ++ }
> +
> +- p = Curl_get_scheme(scheme);
> +- if(p && (p->protocol != data->info.conn_protocol)) {
> +- infof(data, "Clear auth, redirects scheme from %s to %s",
> +- data->info.conn_scheme, scheme);
> +- clear = TRUE;
> +- }
> +- curlx_free(scheme);
> +- }
> +- if(clear) {
> +- CURLcode result = Curl_reset_userpwd(data);
> +- if(result) {
> +- curlx_free(follow_url);
> +- return result;
> +- }
> +- Curl_safefree(data->state.aptr.user);
> +- Curl_safefree(data->state.aptr.passwd);
> ++ same_origin = strcasecompare(oldscheme, newscheme) &&
> ++ strcasecompare(oldhost, newhost) &&
> ++ !strcmp(oldport, newport);
That code (which is not in the upstream patch) failed to build on my
machine:
$ bitbake curl-native
| ../../sources/curl-8.19.0/lib/http.c:1245:19: error: implicit declaration of function ‘strcasecompare’; did you mean ‘strcasecmp_l’? [-Wimplicit-function-declaration]
| 1245 | same_origin = strcasecompare(oldscheme, newscheme) &&
| | ^~~~~~~~~~~~~~
| | strcasecmp_l
Can you check please?
Thanks!
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-07-03 9:38 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 8:55 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 9:38 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.