From: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
To: openembedded-core@lists.openembedded.org
Cc: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
Subject: [wrynose][PATCH v5] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
Date: Mon, 6 Jul 2026 10:14:17 +0200 [thread overview]
Message-ID: <20260706081417.10420-1-jaipaul.cheernam@est.tech> (raw)
In-Reply-To: <20260623120850.29881-1-jaipaul.cheernam@est.tech>
Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
connection pooling. Without this, a second SMB request to the same
host reuses a connection authenticated for a different share.
Reference: https://curl.se/docs/CVE-2026-5773.html
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
---
Changes v4 -> v5:
- Removed incorrect Signed-off-by from Daniel (upstream commit has none)
Changes v3 -> v4:
- Rebased on latest wrynose (5d1aa5c806c0)
- Refreshed patch context to eliminate fuzz on hunk #2
.../curl/curl/CVE-2026-5773.patch | 47 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
new file mode 100644
index 0000000000..a997371242
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
@@ -0,0 +1,47 @@
+From e5c7f93734345260820ca46b29db85f75d277399 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 5 Apr 2026 18:23:35 +0200
+Subject: [PATCH] protocol: disable connection reuse for SMB(S)
+
+Connections should only be reused when using the same "share" (and
+perhaps some additional conditions), but instead of fixing this flaw,
+this change completely disables connection reuse for SMB. This protocol
+is about to get dropped soon anyway.
+
+Reported-by: Osama Hamad
+Closes #21238
+
+CVE: CVE-2026-5773
+Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
+
+Note: The upstream fix targets lib/protocol.c which was introduced in
+curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
+so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
+identical: SMB connections are no longer pooled for reuse.
+
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ lib/smb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 00297ad..c15fdce 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -1242,7 +1242,7 @@ const struct Curl_scheme Curl_scheme_smb = {
+ #endif
+ CURLPROTO_SMB, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_NONE, /* flags */
+ PORT_SMB, /* defport */
+ };
+
+@@ -1259,6 +1259,6 @@ const struct Curl_scheme Curl_scheme_smbs = {
+ #endif
+ CURLPROTO_SMBS, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_SSL, /* flags */
+ PORT_SMBS, /* defport */
+ };
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..3326f478b5 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5773.patch \
file://mbedtls.patch \
"
--
2.34.1
prev parent reply other threads:[~2026-07-06 8:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
2026-06-23 21:24 ` [OE-core] " Yoann Congal
2026-06-24 7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
2026-07-03 8:50 ` [OE-core] " Yoann Congal
2026-07-03 9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
2026-07-05 22:03 ` [OE-core] " Yoann Congal
2026-07-06 8:11 ` Jaipaul Cheernam
2026-07-06 8:14 ` Jaipaul Cheernam [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260706081417.10420-1-jaipaul.cheernam@est.tech \
--to=jaipaul.cheernam@est.tech \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox