* [scarthgap][PATCH] curl: fix CVE-2025-10148
@ 2026-01-07 4:52 Hitendra Prajapati
2026-01-20 5:36 ` Hitendra Prajapati
0 siblings, 1 reply; 4+ messages in thread
From: Hitendra Prajapati @ 2026-01-07 4:52 UTC (permalink / raw)
To: openembedded-core; +Cc: Hitendra Prajapati
curl's websocket code did not update the 32 bit mask pattern
for each new outgoing frame as the specification says. Instead
it used a fixed mask that persisted and was used throughout
the entire connection.
A predictable mask pattern allows for a malicious server to induce
traffic between the two communicating parties that could be
interpreted by an involved proxy (configured or transparent) as
genuine, real, HTTP traffic with content and thereby poison its
cache. That cached poisoned content could then be served to all
users of that proxy.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10148
Upstream patch:
https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
.../curl/curl/CVE-2025-10148.patch | 57 +++++++++++++++++++
meta/recipes-support/curl/curl_8.7.1.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-10148.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2025-10148.patch b/meta/recipes-support/curl/curl/CVE-2025-10148.patch
new file mode 100644
index 0000000000..d37497febe
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-10148.patch
@@ -0,0 +1,57 @@
+From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 8 Sep 2025 14:14:15 +0200
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+
+Reported-by: Calvin Ruocco
+Closes #18496
+
+CVE: CVE-2025-10148
+Upstream-Status: Backport [https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/ws.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ws.c b/lib/ws.c
+index 5bc5ecc..02e0ef0 100644
+--- a/lib/ws.c
++++ b/lib/ws.c
+@@ -614,6 +614,18 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+ enc->payload_remain = enc->payload_len = payload_len;
+ ws_enc_info(enc, data, "sending");
+
++ /* 4 bytes random */
++
++ result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
++ if(result)
++ return result;
++
++#ifdef DEBUGBUILD
++ if(getenv("CURL_WS_FORCE_ZERO_MASK"))
++ /* force the bit mask to 0x00000000, effectively disabling masking */
++ memset(&enc->mask, 0, sizeof(enc->mask));
++#endif
++
+ /* add 4 bytes mask */
+ memcpy(&head[hlen], &enc->mask, 4);
+ hlen += 4;
+@@ -802,14 +814,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+ subprotocol not requested by the client), the client MUST Fail
+ the WebSocket Connection. */
+
+- /* 4 bytes random */
+-
+- result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+- sizeof(ws->enc.mask));
+- if(result)
+- return result;
+- infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+- ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
++ infof(data, "Received 101, switch to WebSocket");
+
+ /* Install our client writer that decodes WS frames payload */
+ result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+--
+2.50.1
+
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 0af6a41399..81e7e3ea8e 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
file://CVE-2024-11053-0003.patch \
file://CVE-2025-0167.patch \
file://CVE-2025-9086.patch \
+ file://CVE-2025-10148.patch \
"
SRC_URI:append:class-nativesdk = " \
--
2.50.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [scarthgap][PATCH] curl: fix CVE-2025-10148
2026-01-07 4:52 [scarthgap][PATCH] curl: fix CVE-2025-10148 Hitendra Prajapati
@ 2026-01-20 5:36 ` Hitendra Prajapati
2026-01-20 9:12 ` [OE-core] " Yoann Congal
0 siblings, 1 reply; 4+ messages in thread
From: Hitendra Prajapati @ 2026-01-20 5:36 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 54 bytes --]
Hi Team,
Any update on this ?
Regards,
Hitendra
[-- Attachment #2: Type: text/html, Size: 115 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] curl: fix CVE-2025-10148
2026-01-20 5:36 ` Hitendra Prajapati
@ 2026-01-20 9:12 ` Yoann Congal
2026-01-20 11:15 ` Hitendra Prajapati
0 siblings, 1 reply; 4+ messages in thread
From: Yoann Congal @ 2026-01-20 9:12 UTC (permalink / raw)
To: hprajapati; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 979 bytes --]
Le mar. 20 janv. 2026 à 06:36, Hitendra Prajapati via lists.openembedded.org
<hprajapati=mvista.com@lists.openembedded.org> a écrit :
> Hi Team,
> Any update on this ?
>
Hello,
I'm currently focussed on getting Kirkstone 4.0.33 built. And, while I will
send a scarthgap patch series soon, this one is not included, sorry.
It does look good. I will definitely consider it for the next scartgap
release (5.0.16 built on 2026-02-09).
Regards,
>
> Regards,
> Hitendra
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#229643):
> https://lists.openembedded.org/g/openembedded-core/message/229643
> Mute This Topic: https://lists.openembedded.org/mt/117129750/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 2326 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] curl: fix CVE-2025-10148
2026-01-20 9:12 ` [OE-core] " Yoann Congal
@ 2026-01-20 11:15 ` Hitendra Prajapati
0 siblings, 0 replies; 4+ messages in thread
From: Hitendra Prajapati @ 2026-01-20 11:15 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1312 bytes --]
Hi Yoann,
Thank you for Quick update.
Regards,
Hitendra
On 20/01/26 2:42 pm, Yoann Congal wrote:
>
>
> Le mar. 20 janv. 2026 à 06:36, Hitendra Prajapati via
> lists.openembedded.org <http://lists.openembedded.org>
> <hprajapati=mvista.com@lists.openembedded.org> a écrit :
>
> Hi Team,
> Any update on this ?
>
>
> Hello,
>
> I'm currently focussed on getting Kirkstone 4.0.33 built. And, while I
> will send a scarthgap patch series soon, this one is not included, sorry.
> It does look good. I will definitely consider it for the next scartgap
> release (5.0.16 built on 2026-02-09).
>
> Regards,
>
> Regards,
> Hitendra
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#229643):
> https://lists.openembedded.org/g/openembedded-core/message/229643
> Mute This Topic: https://lists.openembedded.org/mt/117129750/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> <mailto:openembedded-core%2Bowner@lists.openembedded.org>
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub
> [yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
>
> --
> Yoann Congal
> Smile ECS
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
Mo: +91 9998906483
[-- Attachment #2: Type: text/html, Size: 4172 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-01-20 11:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-07 4:52 [scarthgap][PATCH] curl: fix CVE-2025-10148 Hitendra Prajapati
2026-01-20 5:36 ` Hitendra Prajapati
2026-01-20 9:12 ` [OE-core] " Yoann Congal
2026-01-20 11:15 ` Hitendra Prajapati
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox