[Buildroot] [PATCH 1/2] package/libcurl: security bump version to 8.16.0

[Buildroot] [PATCH 1/2] package/libcurl: security bump version to 8.16.0

[Bernd Kuhls]

Changelog: https://curl.se/ch/8.16.0.html

Fixes CVEs:
CVE-2025-9086: https://curl.se/docs/CVE-2025-9086.html
CVE-2025-10148: https://curl.se/docs/CVE-2025-10148.html

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 package/libcurl/libcurl.hash | 4 ++--
 package/libcurl/libcurl.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 2e36917382..4cc4da4f26 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://curl.se/download/curl-8.15.0.tar.xz.asc
+# https://curl.se/download/curl-8.16.0.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  6cd0a8a5b126ddfda61c94dc2c3fc53481ba7a35461cf7c5ab66aa9d6775b609  curl-8.15.0.tar.xz
+sha256  40c8cddbcb6cc6251c03dea423a472a6cea4037be654ba5cf5dec6eb2d22ff1d  curl-8.16.0.tar.xz
 sha256  e18f1989333b70044b2adfb7dc2f905d0119dbdcac3bc9f4bc9d540e3a29de5b  COPYING
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 1cfdda27d2..0aa88044bd 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 8.15.0
+LIBCURL_VERSION = 8.16.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/kodi: Fix build with curl 8.16.0

[Bernd Kuhls]

curl 8.16.0 bumped the enums to long, see
https://github.com/curl/curl/pull/18054

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 package/kodi/0002-curl-8.16.0.patch | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 package/kodi/0002-curl-8.16.0.patch

diff --git a/package/kodi/0002-curl-8.16.0.patch b/package/kodi/0002-curl-8.16.0.patch
new file mode 100644
index 0000000000..ad71f339ca
--- /dev/null
+++ b/package/kodi/0002-curl-8.16.0.patch
@@ -0,0 +1,21 @@
+Fix build with curl 8.16.0
+
+Downloaded from
+https://gitlab.alpinelinux.org/alpine/aports/-/commit/106a02411488e3f71b9f2085a4a857e4be27b9ea
+
+Upstream: https://github.com/xbmc/xbmc/pull/27224
+
+Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
+
+--- a/xbmc/filesystem/CurlFile.cpp
++++ b/xbmc/filesystem/CurlFile.cpp
+@@ -44,7 +44,7 @@ using namespace std::chrono_literals;
+ 
+ #define FITS_INT(a) (((a) <= INT_MAX) && ((a) >= INT_MIN))
+ 
+-curl_proxytype proxyType2CUrlProxyType[] = {
++long proxyType2CUrlProxyType[] = {
+     CURLPROXY_HTTP,   CURLPROXY_SOCKS4,          CURLPROXY_SOCKS4A,
+     CURLPROXY_SOCKS5, CURLPROXY_SOCKS5_HOSTNAME, CURLPROXY_HTTPS,
+ };
+
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/kodi: Fix build with curl 8.16.0

[Baruch Siach via buildroot]

Hi Bernd,

Thanks for the libcurl security bump and this fix. A couple of comments
below.

On Wed, Sep 10 2025, Bernd Kuhls wrote:
> curl 8.16.0 bumped the enums to long, see
> https://github.com/curl/curl/pull/18054
>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
> ---
>  package/kodi/0002-curl-8.16.0.patch | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>  create mode 100644 package/kodi/0002-curl-8.16.0.patch
>
> diff --git a/package/kodi/0002-curl-8.16.0.patch b/package/kodi/0002-curl-8.16.0.patch
> new file mode 100644
> index 0000000000..ad71f339ca
> --- /dev/null
> +++ b/package/kodi/0002-curl-8.16.0.patch
> @@ -0,0 +1,21 @@
> +Fix build with curl 8.16.0
> +
> +Downloaded from
> +https://gitlab.alpinelinux.org/alpine/aports/-/commit/106a02411488e3f71b9f2085a4a857e4be27b9ea
> +
> +Upstream: https://github.com/xbmc/xbmc/pull/27224

It would be nicer to apply this libcurl compatibility fix patch before
libcurl version bump for the sake of bisectability. I believe this patch
should to be compatible with libcurl older than 8.16.0.

I guess you can't use upstream pull request patch because it doesn't
apply to kodi version we have. This patch description should say that.

Thanks,
baruch

> +
> +Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
> +
> +--- a/xbmc/filesystem/CurlFile.cpp
> ++++ b/xbmc/filesystem/CurlFile.cpp
> +@@ -44,7 +44,7 @@ using namespace std::chrono_literals;
> + 
> + #define FITS_INT(a) (((a) <= INT_MAX) && ((a) >= INT_MIN))
> + 
> +-curl_proxytype proxyType2CUrlProxyType[] = {
> ++long proxyType2CUrlProxyType[] = {
> +     CURLPROXY_HTTP,   CURLPROXY_SOCKS4,          CURLPROXY_SOCKS4A,
> +     CURLPROXY_SOCKS5, CURLPROXY_SOCKS5_HOSTNAME, CURLPROXY_HTTPS,
> + };
> +

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot