[scarthgap][PATCH] curl_sasl:_if_redirected,_require_permission_to_use_bearer

[scarthgap][PATCH] curl_sasl:_if_redirected,_require_permission_to_use_bearer

[amaury.couderc]

From: Amaury Couderc <amaury.couderc@est.tech>

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
---
 .../curl/curl/CVE-2025-14524.patch            | 45 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.7.1.bb       |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
new file mode 100644
index 0000000000..bd0dd86acb
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
@@ -0,0 +1,45 @@
+From 0bccd8d29c89d70120444088d3893af59f3772bf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 10 Dec 2025 11:40:47 +0100
+Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer
+
+Closes #19933
+
+CVE: CVE-2025-14524
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ lib/curl_sasl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
+index 66639cbacc..fe646548a8 100644
+--- a/lib/curl_sasl.c
++++ b/lib/curl_sasl.c
+@@ -357,7 +357,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data,
+     data->set.str[STRING_SERVICE_NAME] :
+     sasl->params->service;
+ #endif
+-  const char *oauth_bearer = data->set.str[STRING_BEARER];
++  const char *oauth_bearer =
++    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++    data->set.str[STRING_BEARER] : NULL;
+   struct bufref nullmsg;
+ 
+   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port);
+@@ -544,7 +546,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
+     data->set.str[STRING_SERVICE_NAME] :
+     sasl->params->service;
+ #endif
+-  const char *oauth_bearer = data->set.str[STRING_BEARER];
++  const char *oauth_bearer =
++    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++    data->set.str[STRING_BEARER] : NULL;
+   struct bufref serverdata;
+ 
+   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port);
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 0af6a41399..33bf6b1163 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
     file://CVE-2024-11053-0003.patch \
     file://CVE-2025-0167.patch \
     file://CVE-2025-9086.patch \
+    file://CVE-2025-14524.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \
-- 
2.52.0

Re: [OE-core] [scarthgap][PATCH] curl_sasl:_if_redirected,_require_permission_to_use_bearer

[Yoann Congal]

[-- Attachment #1: Type: text/plain, Size: 3913 bytes --]

Le ven. 30 janv. 2026 à 11:17, Amaury Couderc via lists.openembedded.org
<amaury.couderc=est.tech@lists.openembedded.org> a écrit :

> From: Amaury Couderc <amaury.couderc@est.tech>
>
> Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
>

Hello,

The subject for this patch should be "[scarthgap][PATCH] curl: patch
CVE-2025-14524"
"curl_sasl: if redirected, require permission to use bearer" has very
little meaning outside of the curl source code.

Can you send a v2 with that?

Also, can you ensure the Upstream-Status line is not split?

Thanks!

---
>  .../curl/curl/CVE-2025-14524.patch            | 45 +++++++++++++++++++
>  meta/recipes-support/curl/curl_8.7.1.bb       |  1 +
>  2 files changed, 46 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch
> b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
> new file mode 100644
> index 0000000000..bd0dd86acb
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
> @@ -0,0 +1,45 @@
> +From 0bccd8d29c89d70120444088d3893af59f3772bf Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Wed, 10 Dec 2025 11:40:47 +0100
> +Subject: [PATCH] curl_sasl: if redirected, require permission to use
> bearer
> +
> +Closes #19933
> +
> +CVE: CVE-2025-14524
> +Upstream-Status: Backport
> +[
> https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640
> ]
> +
> +Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
> +---
> + lib/curl_sasl.c | 8 ++++++--
> + 1 file changed, 6 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
> +index 66639cbacc..fe646548a8 100644
> +--- a/lib/curl_sasl.c
> ++++ b/lib/curl_sasl.c
> +@@ -357,7 +357,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct
> Curl_easy *data,
> +     data->set.str[STRING_SERVICE_NAME] :
> +     sasl->params->service;
> + #endif
> +-  const char *oauth_bearer = data->set.str[STRING_BEARER];
> ++  const char *oauth_bearer =
> ++    (!data->state.this_is_a_follow ||
> data->set.allow_auth_to_other_hosts) ?
> ++    data->set.str[STRING_BEARER] : NULL;
> +   struct bufref nullmsg;
> +
> +   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname,
> &port);
> +@@ -544,7 +546,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct
> Curl_easy *data,
> +     data->set.str[STRING_SERVICE_NAME] :
> +     sasl->params->service;
> + #endif
> +-  const char *oauth_bearer = data->set.str[STRING_BEARER];
> ++  const char *oauth_bearer =
> ++    (!data->state.this_is_a_follow ||
> data->set.allow_auth_to_other_hosts) ?
> ++    data->set.str[STRING_BEARER] : NULL;
> +   struct bufref serverdata;
> +
> +   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname,
> &port);
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb
> b/meta/recipes-support/curl/curl_8.7.1.bb
> index 0af6a41399..33bf6b1163 100644
> --- a/meta/recipes-support/curl/curl_8.7.1.bb
> +++ b/meta/recipes-support/curl/curl_8.7.1.bb
> @@ -25,6 +25,7 @@ SRC_URI = " \
>      file://CVE-2024-11053-0003.patch \
>      file://CVE-2025-0167.patch \
>      file://CVE-2025-9086.patch \
> +    file://CVE-2025-14524.patch \
>  "
>
>  SRC_URI:append:class-nativesdk = " \
> --
> 2.52.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#230190):
> https://lists.openembedded.org/g/openembedded-core/message/230190
> Mute This Topic: https://lists.openembedded.org/mt/117542226/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 6080 bytes --]

Re: [OE-core] [scarthgap][PATCH] curl_sasl:_if_redirected,_require_permission_to_use_bearer

[Amaury Couderc]

[-- Attachment #1: Type: text/plain, Size: 4449 bytes --]

Hi,

Thanks for the review, I will send a v2 with the corrections.

Kind Regards,

Amaury
________________________________
From: Yoann Congal <yoann.congal@smile.fr>
Sent: Friday, January 30, 2026 11:40 AM
To: Amaury Couderc <amaury.couderc@est.tech>
Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [scarthgap][PATCH] curl_sasl:_if_redirected,_require_permission_to_use_bearer



Le ven. 30 janv. 2026 à 11:17, Amaury Couderc via lists.openembedded.org<http://lists.openembedded.org> <amaury.couderc=est.tech@lists.openembedded.org<mailto:est.tech@lists.openembedded.org>> a écrit :
From: Amaury Couderc <amaury.couderc@est.tech>

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>

Hello,

The subject for this patch should be "[scarthgap][PATCH] curl: patch CVE-2025-14524"
"curl_sasl: if redirected, require permission to use bearer" has very little meaning outside of the curl source code.

Can you send a v2 with that?

Also, can you ensure the Upstream-Status line is not split?

Thanks!

---
 .../curl/curl/CVE-2025-14524.patch            | 45 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.7.1.bb<http://curl_8.7.1.bb>       |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
new file mode 100644
index 0000000000..bd0dd86acb
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
@@ -0,0 +1,45 @@
+From 0bccd8d29c89d70120444088d3893af59f3772bf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se<mailto:daniel@haxx.se>>
+Date: Wed, 10 Dec 2025 11:40:47 +0100
+Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer
+
+Closes #19933
+
+CVE: CVE-2025-14524
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ lib/curl_sasl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
+index 66639cbacc..fe646548a8 100644
+--- a/lib/curl_sasl.c
++++ b/lib/curl_sasl.c
+@@ -357,7 +357,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data,
+     data->set.str[STRING_SERVICE_NAME] :
+     sasl->params->service;
+ #endif
+-  const char *oauth_bearer = data->set.str[STRING_BEARER];
++  const char *oauth_bearer =
++    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++    data->set.str[STRING_BEARER] : NULL;
+   struct bufref nullmsg;
+
+   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port);
+@@ -544,7 +546,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
+     data->set.str[STRING_SERVICE_NAME] :
+     sasl->params->service;
+ #endif
+-  const char *oauth_bearer = data->set.str[STRING_BEARER];
++  const char *oauth_bearer =
++    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++    data->set.str[STRING_BEARER] : NULL;
+   struct bufref serverdata;
+
+   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port);
+--
+2.43.0
+
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb<http://curl_8.7.1.bb> b/meta/recipes-support/curl/curl_8.7.1.bb<http://curl_8.7.1.bb>
index 0af6a41399..33bf6b1163 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb<http://curl_8.7.1.bb>
+++ b/meta/recipes-support/curl/curl_8.7.1.bb<http://curl_8.7.1.bb>
@@ -25,6 +25,7 @@ SRC_URI = " \
     file://CVE-2024-11053-0003.patch \
     file://CVE-2025-0167.patch \
     file://CVE-2025-9086.patch \
+    file://CVE-2025-14524.patch \
 "

 SRC_URI:append:class-nativesdk = " \
--
2.52.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#230190): https://lists.openembedded.org/g/openembedded-core/message/230190
Mute This Topic: https://lists.openembedded.org/mt/117542226/4316185
Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core%2Bowner@lists.openembedded.org>
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yoann.congal@smile.fr<mailto:yoann.congal@smile.fr>]
-=-=-=-=-=-=-=-=-=-=-=-



--
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 8769 bytes --]