From: vanusuri@mvista.com
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][kirkstone][PATCH v2 4/4] curl: patch CVE-2026-3784
Date: Sat, 21 Mar 2026 15:17:23 +0530 [thread overview]
Message-ID: <20260321094723.273058-4-vanusuri@mvista.com> (raw)
In-Reply-To: <20260321094723.273058-1-vanusuri@mvista.com>
From: Vijay Anusuri <vanusuri@mvista.com>
pick patch from ubuntu per [1]
[1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
[2] https://ubuntu.com/security/CVE-2026-3784
[3] https://curl.se/docs/CVE-2026-3784.html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../curl/curl/CVE-2026-3784.patch | 73 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch b/meta/recipes-support/curl/curl/CVE-2026-3784.patch
new file mode 100644
index 0000000000..95784e4763
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch
@@ -0,0 +1,73 @@
+From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 6 Mar 2026 14:54:09 +0100
+Subject: [PATCH] proxy-auth: additional tests
+
+Also eliminate the special handling for socks proxy match.
+
+Closes #20837
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3]
+Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
+
+CVE: CVE-2026-3784
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c | 28 +++++++---------------------
+ tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++
+ tests/http/testenv/curl.py | 18 +++++++++++++++---
+ 3 files changed, 42 insertions(+), 24 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in
+ {
+ if((data->proxytype == needle->proxytype) &&
+ (data->port == needle->port) &&
+- Curl_safe_strcasecompare(data->host.name, needle->host.name))
+- return TRUE;
++ curl_strequal(data->host.name, needle->host.name)) {
+
++ if(Curl_timestrcmp(data->user, needle->user) ||
++ Curl_timestrcmp(data->passwd, needle->passwd))
++ return FALSE;
++ return TRUE;
++ }
+ return FALSE;
+ }
+-
+-static bool
+-socks_proxy_info_matches(const struct proxy_info *data,
+- const struct proxy_info *needle)
+-{
+- if(!proxy_info_matches(data, needle))
+- return FALSE;
+-
+- /* the user information is case-sensitive
+- or at least it is not defined as case-insensitive
+- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */
+-
+- /* curl_strequal does a case insentive comparison, so do not use it here! */
+- if(Curl_timestrcmp(data->user, needle->user) ||
+- Curl_timestrcmp(data->passwd, needle->passwd))
+- return FALSE;
+- return TRUE;
+-}
+-#else
+-/* disabled, won't get called */
+-#define proxy_info_matches(x,y) FALSE
+-#define socks_proxy_info_matches(x,y) FALSE
+ #endif
+
+ /* A connection has to have been idle for a shorter time than 'maxage_conn'
+@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data,
+ continue;
+
+ if(needle->bits.socksproxy &&
+- !socks_proxy_info_matches(&needle->socks_proxy,
+- &check->socks_proxy))
++ !proxy_info_matches(&needle->socks_proxy,
++ &check->socks_proxy))
+ continue;
+ #endif
+ if(needle->bits.conn_to_host != check->bits.conn_to_host)
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index f50af1d472..a2ee573681 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -75,6 +75,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2026-1965-2.patch \
file://CVE-2026-3783-pre1.patch \
file://CVE-2026-3783.patch \
+ file://CVE-2026-3784.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.25.1
prev parent reply other threads:[~2026-03-21 9:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-21 9:47 [OE-core][kirkstone][PATCH v2 1/4] curl: patch CVE-2025-14524 vanusuri
2026-03-21 9:47 ` [OE-core][kirkstone][PATCH v2 2/4] curl: patch CVE-2026-1965 vanusuri
2026-04-05 23:00 ` Yoann Congal
2026-03-21 9:47 ` [OE-core][kirkstone][PATCH v2 3/4] curl: patch CVE-2026-3783 vanusuri
2026-03-21 9:47 ` vanusuri [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260321094723.273058-4-vanusuri@mvista.com \
--to=vanusuri@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox