* [OE-core][scarthgap][PATCH 1/1] curl: fix CVE-2026-1965
@ 2026-03-26 4:46 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-26 10:00 ` [OE-core][scarthgap][PATCH v2 1/3] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
0 siblings, 1 reply; 4+ messages in thread
From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-26 4:46 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
Applying the fixes from upstream commit [3] and [4] cause merge conflicts
and require other dependent commits to be backported. Instead, backport
the Ubuntu-provided patches [1], which fixes the vulnerability as mentioned
in changelog [2].
[1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
debian/patches/CVE-2026-1965-1.patch
debian/patches/CVE-2026-1965-2.patch
[2] https://changelogs.ubuntu.com/changelogs/pool/main/c/curl/curl_8.5.0-2ubuntu10.8/changelog
[3] https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12
[4] https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-1965
https://curl.se/docs/CVE-2026-1965.html
https://ubuntu.com/security/CVE-2026-1965
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
.../curl/curl/CVE-2026-1965_p1.patch | 98 +++++++++++++++++++
.../curl/curl/CVE-2026-1965_p2.patch | 30 ++++++
meta/recipes-support/curl/curl_8.7.1.bb | 2 +
3 files changed, 130 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
new file mode 100644
index 0000000000..8079b453eb
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
@@ -0,0 +1,98 @@
+Backport of:
+
+From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 5 Feb 2026 08:34:21 +0100
+Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
+
+Assume Negotiate means connection-based
+
+Reported-by: Zhicheng Chen
+Closes #20534
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12]
+
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 82 insertions(+), 5 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -935,6 +935,18 @@ ConnectionExists(struct Curl_easy *data,
+ bool wantProxyNTLMhttp = FALSE;
+ #endif
+ #endif
++
++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++ bool wantNegohttp =
++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#ifndef CURL_DISABLE_PROXY
++ bool wantProxyNegohttp =
++ needle->bits.proxy_user_passwd &&
++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#endif
++#endif
+ /* plain HTTP with upgrade */
+ bool h2upgrade = (data->state.httpwant == CURL_HTTP_VERSION_2_0) &&
+ (needle->handler->protocol & CURLPROTO_HTTP);
+@@ -1272,6 +1284,56 @@ ConnectionExists(struct Curl_easy *data,
+ }
+ #endif
+
++#ifdef USE_SPNEGO
++ /* If we are looking for an HTTP+Negotiate connection, check if this is
++ already authenticating with the right credentials. If not, keep looking
++ so that we can reuse Negotiate connections if possible. */
++ if(wantNegohttp) {
++ if(Curl_timestrcmp(needle->user, check->user) ||
++ Curl_timestrcmp(needle->passwd, check->passwd))
++ continue;
++ }
++ else if(check->http_negotiate_state != GSS_AUTHNONE) {
++ /* Connection is using Negotiate auth but we do not want Negotiate */
++ continue;
++ }
++
++#ifndef CURL_DISABLE_PROXY
++ /* Same for Proxy Negotiate authentication */
++ if(wantProxyNegohttp) {
++ /* Both check->http_proxy.user and check->http_proxy.passwd can be
++ * NULL */
++ if(!check->http_proxy.user || !check->http_proxy.passwd)
++ continue;
++
++ if(Curl_timestrcmp(needle->http_proxy.user,
++ check->http_proxy.user) ||
++ Curl_timestrcmp(needle->http_proxy.passwd,
++ check->http_proxy.passwd))
++ continue;
++ }
++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */
++ continue;
++ }
++#endif
++ if(wantNTLMhttp || wantProxyNTLMhttp) {
++ /* Credentials are already checked, we may use this connection. We MUST
++ * use a connection where it has already been fully negotiated. If it has
++ * not, we keep on looking for a better one. */
++ chosen = check;
++ if((wantNegohttp &&
++ (check->http_negotiate_state != GSS_AUTHNONE)) ||
++ (wantProxyNegohttp &&
++ (check->proxy_negotiate_state != GSS_AUTHNONE))) {
++ /* We must use this connection, no other */
++ *force_reuse = TRUE;
++ break;
++ }
++ continue; /* get another */
++ }
++#endif
++
+ if(CONN_INUSE(check)) {
+ DEBUGASSERT(canmultiplex);
+ DEBUGASSERT(check->bits.multiplex);
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
new file mode 100644
index 0000000000..1fdb658f23
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
@@ -0,0 +1,30 @@
+Backport of:
+
+From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 21 Feb 2026 18:11:41 +0100
+Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
+
+Follow-up to 34fa034
+Reported-by: dahmono on github
+Closes #20662
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70]
+
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1317,7 +1317,7 @@ ConnectionExists(struct Curl_easy *data,
+ continue;
+ }
+ #endif
+- if(wantNTLMhttp || wantProxyNTLMhttp) {
++ if(wantNegohttp || wantProxyNegohttp) {
+ /* Credentials are already checked, we may use this connection. We MUST
+ * use a connection where it has already been fully negotiated. If it has
+ * not, we keep on looking for a better one. */
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 9e37684b2c..e2f6f8472f 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -32,6 +32,8 @@ SRC_URI = " \
file://CVE-2025-14819.patch \
file://CVE-2025-15079.patch \
file://CVE-2025-15224.patch \
+ file://CVE-2026-1965_p1.patch \
+ file://CVE-2026-1965_p2.patch \
"
SRC_URI:append:class-nativesdk = " \
--
2.44.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][scarthgap][PATCH v2 1/3] curl: fix CVE-2026-1965
2026-03-26 4:46 [OE-core][scarthgap][PATCH 1/1] curl: fix CVE-2026-1965 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-03-26 10:00 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-27 17:05 ` Yoann Congal
0 siblings, 1 reply; 4+ messages in thread
From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-26 10:00 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
Applying the fixes from upstream commit [3] and [4] cause merge conflicts
and require other dependent commits to be backported. Instead, backport
the Ubuntu-provided patches [1], which fixes the vulnerability as mentioned
in changelog [2].
[1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
debian/patches/CVE-2026-1965-1.patch
debian/patches/CVE-2026-1965-2.patch
[2] https://changelogs.ubuntu.com/changelogs/pool/main/c/curl/curl_8.5.0-2ubuntu10.8/changelog
[3] https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12
[4] https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-1965
https://curl.se/docs/CVE-2026-1965.html
https://ubuntu.com/security/CVE-2026-1965
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
Changes from v1 -> v2:
- Updated with the correct patch series numbering
.../curl/curl/CVE-2026-1965_p1.patch | 98 +++++++++++++++++++
.../curl/curl/CVE-2026-1965_p2.patch | 30 ++++++
meta/recipes-support/curl/curl_8.7.1.bb | 2 +
3 files changed, 130 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
new file mode 100644
index 0000000000..8079b453eb
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
@@ -0,0 +1,98 @@
+Backport of:
+
+From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 5 Feb 2026 08:34:21 +0100
+Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
+
+Assume Negotiate means connection-based
+
+Reported-by: Zhicheng Chen
+Closes #20534
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12]
+
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 82 insertions(+), 5 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -935,6 +935,18 @@ ConnectionExists(struct Curl_easy *data,
+ bool wantProxyNTLMhttp = FALSE;
+ #endif
+ #endif
++
++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++ bool wantNegohttp =
++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#ifndef CURL_DISABLE_PROXY
++ bool wantProxyNegohttp =
++ needle->bits.proxy_user_passwd &&
++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#endif
++#endif
+ /* plain HTTP with upgrade */
+ bool h2upgrade = (data->state.httpwant == CURL_HTTP_VERSION_2_0) &&
+ (needle->handler->protocol & CURLPROTO_HTTP);
+@@ -1272,6 +1284,56 @@ ConnectionExists(struct Curl_easy *data,
+ }
+ #endif
+
++#ifdef USE_SPNEGO
++ /* If we are looking for an HTTP+Negotiate connection, check if this is
++ already authenticating with the right credentials. If not, keep looking
++ so that we can reuse Negotiate connections if possible. */
++ if(wantNegohttp) {
++ if(Curl_timestrcmp(needle->user, check->user) ||
++ Curl_timestrcmp(needle->passwd, check->passwd))
++ continue;
++ }
++ else if(check->http_negotiate_state != GSS_AUTHNONE) {
++ /* Connection is using Negotiate auth but we do not want Negotiate */
++ continue;
++ }
++
++#ifndef CURL_DISABLE_PROXY
++ /* Same for Proxy Negotiate authentication */
++ if(wantProxyNegohttp) {
++ /* Both check->http_proxy.user and check->http_proxy.passwd can be
++ * NULL */
++ if(!check->http_proxy.user || !check->http_proxy.passwd)
++ continue;
++
++ if(Curl_timestrcmp(needle->http_proxy.user,
++ check->http_proxy.user) ||
++ Curl_timestrcmp(needle->http_proxy.passwd,
++ check->http_proxy.passwd))
++ continue;
++ }
++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */
++ continue;
++ }
++#endif
++ if(wantNTLMhttp || wantProxyNTLMhttp) {
++ /* Credentials are already checked, we may use this connection. We MUST
++ * use a connection where it has already been fully negotiated. If it has
++ * not, we keep on looking for a better one. */
++ chosen = check;
++ if((wantNegohttp &&
++ (check->http_negotiate_state != GSS_AUTHNONE)) ||
++ (wantProxyNegohttp &&
++ (check->proxy_negotiate_state != GSS_AUTHNONE))) {
++ /* We must use this connection, no other */
++ *force_reuse = TRUE;
++ break;
++ }
++ continue; /* get another */
++ }
++#endif
++
+ if(CONN_INUSE(check)) {
+ DEBUGASSERT(canmultiplex);
+ DEBUGASSERT(check->bits.multiplex);
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
new file mode 100644
index 0000000000..1fdb658f23
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
@@ -0,0 +1,30 @@
+Backport of:
+
+From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 21 Feb 2026 18:11:41 +0100
+Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
+
+Follow-up to 34fa034
+Reported-by: dahmono on github
+Closes #20662
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70]
+
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1317,7 +1317,7 @@ ConnectionExists(struct Curl_easy *data,
+ continue;
+ }
+ #endif
+- if(wantNTLMhttp || wantProxyNTLMhttp) {
++ if(wantNegohttp || wantProxyNegohttp) {
+ /* Credentials are already checked, we may use this connection. We MUST
+ * use a connection where it has already been fully negotiated. If it has
+ * not, we keep on looking for a better one. */
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 9e37684b2c..e2f6f8472f 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -32,6 +32,8 @@ SRC_URI = " \
file://CVE-2025-14819.patch \
file://CVE-2025-15079.patch \
file://CVE-2025-15224.patch \
+ file://CVE-2026-1965_p1.patch \
+ file://CVE-2026-1965_p2.patch \
"
SRC_URI:append:class-nativesdk = " \
--
2.44.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][scarthgap][PATCH v2 1/3] curl: fix CVE-2026-1965
2026-03-26 10:00 ` [OE-core][scarthgap][PATCH v2 1/3] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-03-27 17:05 ` Yoann Congal
2026-03-27 17:08 ` Yoann Congal
0 siblings, 1 reply; 4+ messages in thread
From: Yoann Congal @ 2026-03-27 17:05 UTC (permalink / raw)
To: sudumbha, openembedded-core
On Thu Mar 26, 2026 at 11:00 AM CET, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Sudhir Dumbhare <sudumbha@cisco.com>
>
> Applying the fixes from upstream commit [3] and [4] cause merge conflicts
> and require other dependent commits to be backported. Instead, backport
> the Ubuntu-provided patches [1], which fixes the vulnerability as mentioned
> in changelog [2].
>
> [1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
> debian/patches/CVE-2026-1965-1.patch
> debian/patches/CVE-2026-1965-2.patch
> [2] https://changelogs.ubuntu.com/changelogs/pool/main/c/curl/curl_8.5.0-2ubuntu10.8/changelog
> [3] https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12
> [4] https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2026-1965
> https://curl.se/docs/CVE-2026-1965.html
> https://ubuntu.com/security/CVE-2026-1965
>
> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> ---
Hello,
Looks like this patch break tests on arm64:
WARNING: core-image-ptest-curl-1.0-r0 do_testimage: There were failing ptests.
[...]
AssertionError:
Failed ptests:
{'curl': ['2006_-_.netrc_default_with_redirect_plus_oauth2-bearer_-_data']}
Can you look at this?
And, while you are fixing this patch, can you please resend your series
(the 3 curl CVE fixes) as 1 series instead of 3 individual patches?
Thanks!
> Changes from v1 -> v2:
> - Updated with the correct patch series numbering
>
> .../curl/curl/CVE-2026-1965_p1.patch | 98 +++++++++++++++++++
> .../curl/curl/CVE-2026-1965_p2.patch | 30 ++++++
> meta/recipes-support/curl/curl_8.7.1.bb | 2 +
> 3 files changed, 130 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
> new file mode 100644
> index 0000000000..8079b453eb
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
> @@ -0,0 +1,98 @@
> +Backport of:
> +
> +From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 5 Feb 2026 08:34:21 +0100
> +Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
> +
> +Assume Negotiate means connection-based
> +
> +Reported-by: Zhicheng Chen
> +Closes #20534
> +
> +CVE: CVE-2026-1965
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12]
> +
> +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> +---
> + lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
> + 1 file changed, 82 insertions(+), 5 deletions(-)
> +
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -935,6 +935,18 @@ ConnectionExists(struct Curl_easy *data,
> + bool wantProxyNTLMhttp = FALSE;
> + #endif
> + #endif
> ++
> ++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
> ++ bool wantNegohttp =
> ++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
> ++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
> ++#ifndef CURL_DISABLE_PROXY
> ++ bool wantProxyNegohttp =
> ++ needle->bits.proxy_user_passwd &&
> ++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
> ++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
> ++#endif
> ++#endif
> + /* plain HTTP with upgrade */
> + bool h2upgrade = (data->state.httpwant == CURL_HTTP_VERSION_2_0) &&
> + (needle->handler->protocol & CURLPROTO_HTTP);
> +@@ -1272,6 +1284,56 @@ ConnectionExists(struct Curl_easy *data,
> + }
> + #endif
> +
> ++#ifdef USE_SPNEGO
> ++ /* If we are looking for an HTTP+Negotiate connection, check if this is
> ++ already authenticating with the right credentials. If not, keep looking
> ++ so that we can reuse Negotiate connections if possible. */
> ++ if(wantNegohttp) {
> ++ if(Curl_timestrcmp(needle->user, check->user) ||
> ++ Curl_timestrcmp(needle->passwd, check->passwd))
> ++ continue;
> ++ }
> ++ else if(check->http_negotiate_state != GSS_AUTHNONE) {
> ++ /* Connection is using Negotiate auth but we do not want Negotiate */
> ++ continue;
> ++ }
> ++
> ++#ifndef CURL_DISABLE_PROXY
> ++ /* Same for Proxy Negotiate authentication */
> ++ if(wantProxyNegohttp) {
> ++ /* Both check->http_proxy.user and check->http_proxy.passwd can be
> ++ * NULL */
> ++ if(!check->http_proxy.user || !check->http_proxy.passwd)
> ++ continue;
> ++
> ++ if(Curl_timestrcmp(needle->http_proxy.user,
> ++ check->http_proxy.user) ||
> ++ Curl_timestrcmp(needle->http_proxy.passwd,
> ++ check->http_proxy.passwd))
> ++ continue;
> ++ }
> ++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
> ++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */
> ++ continue;
> ++ }
> ++#endif
> ++ if(wantNTLMhttp || wantProxyNTLMhttp) {
> ++ /* Credentials are already checked, we may use this connection. We MUST
> ++ * use a connection where it has already been fully negotiated. If it has
> ++ * not, we keep on looking for a better one. */
> ++ chosen = check;
> ++ if((wantNegohttp &&
> ++ (check->http_negotiate_state != GSS_AUTHNONE)) ||
> ++ (wantProxyNegohttp &&
> ++ (check->proxy_negotiate_state != GSS_AUTHNONE))) {
> ++ /* We must use this connection, no other */
> ++ *force_reuse = TRUE;
> ++ break;
> ++ }
> ++ continue; /* get another */
> ++ }
> ++#endif
> ++
> + if(CONN_INUSE(check)) {
> + DEBUGASSERT(canmultiplex);
> + DEBUGASSERT(check->bits.multiplex);
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
> new file mode 100644
> index 0000000000..1fdb658f23
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
> @@ -0,0 +1,30 @@
> +Backport of:
> +
> +From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sat, 21 Feb 2026 18:11:41 +0100
> +Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
> +
> +Follow-up to 34fa034
> +Reported-by: dahmono on github
> +Closes #20662
> +
> +CVE: CVE-2026-1965
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70]
> +
> +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> +---
> + lib/url.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -1317,7 +1317,7 @@ ConnectionExists(struct Curl_easy *data,
> + continue;
> + }
> + #endif
> +- if(wantNTLMhttp || wantProxyNTLMhttp) {
> ++ if(wantNegohttp || wantProxyNegohttp) {
> + /* Credentials are already checked, we may use this connection. We MUST
> + * use a connection where it has already been fully negotiated. If it has
> + * not, we keep on looking for a better one. */
> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
> index 9e37684b2c..e2f6f8472f 100644
> --- a/meta/recipes-support/curl/curl_8.7.1.bb
> +++ b/meta/recipes-support/curl/curl_8.7.1.bb
> @@ -32,6 +32,8 @@ SRC_URI = " \
> file://CVE-2025-14819.patch \
> file://CVE-2025-15079.patch \
> file://CVE-2025-15224.patch \
> + file://CVE-2026-1965_p1.patch \
> + file://CVE-2026-1965_p2.patch \
> "
>
> SRC_URI:append:class-nativesdk = " \
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][scarthgap][PATCH v2 1/3] curl: fix CVE-2026-1965
2026-03-27 17:05 ` Yoann Congal
@ 2026-03-27 17:08 ` Yoann Congal
0 siblings, 0 replies; 4+ messages in thread
From: Yoann Congal @ 2026-03-27 17:08 UTC (permalink / raw)
To: Yoann Congal, sudumbha, openembedded-core
On Fri Mar 27, 2026 at 6:05 PM CET, Yoann Congal wrote:
> On Thu Mar 26, 2026 at 11:00 AM CET, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
>> From: Sudhir Dumbhare <sudumbha@cisco.com>
>>
>> Applying the fixes from upstream commit [3] and [4] cause merge conflicts
>> and require other dependent commits to be backported. Instead, backport
>> the Ubuntu-provided patches [1], which fixes the vulnerability as mentioned
>> in changelog [2].
>>
>> [1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
>> debian/patches/CVE-2026-1965-1.patch
>> debian/patches/CVE-2026-1965-2.patch
>> [2] https://changelogs.ubuntu.com/changelogs/pool/main/c/curl/curl_8.5.0-2ubuntu10.8/changelog
>> [3] https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12
>> [4] https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70
>>
>> Reference:
>> https://nvd.nist.gov/vuln/detail/CVE-2026-1965
>> https://curl.se/docs/CVE-2026-1965.html
>> https://ubuntu.com/security/CVE-2026-1965
>>
>> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
>> ---
>
> Hello,
>
> Looks like this patch break tests on arm64:
> WARNING: core-image-ptest-curl-1.0-r0 do_testimage: There were failing ptests.
> [...]
> AssertionError:
> Failed ptests:
> {'curl': ['2006_-_.netrc_default_with_redirect_plus_oauth2-bearer_-_data']}
And also breaks on x86-64:
qemuarm64-ptest https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/3361
qemux86-64-ptest https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/3384
>
> Can you look at this?
>
> And, while you are fixing this patch, can you please resend your series
> (the 3 curl CVE fixes) as 1 series instead of 3 individual patches?
>
> Thanks!
>
>
>> Changes from v1 -> v2:
>> - Updated with the correct patch series numbering
>>
>> .../curl/curl/CVE-2026-1965_p1.patch | 98 +++++++++++++++++++
>> .../curl/curl/CVE-2026-1965_p2.patch | 30 ++++++
>> meta/recipes-support/curl/curl_8.7.1.bb | 2 +
>> 3 files changed, 130 insertions(+)
>> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
>> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
>> new file mode 100644
>> index 0000000000..8079b453eb
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch
>> @@ -0,0 +1,98 @@
>> +Backport of:
>> +
>> +From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
>> +From: Daniel Stenberg <daniel@haxx.se>
>> +Date: Thu, 5 Feb 2026 08:34:21 +0100
>> +Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
>> +
>> +Assume Negotiate means connection-based
>> +
>> +Reported-by: Zhicheng Chen
>> +Closes #20534
>> +
>> +CVE: CVE-2026-1965
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12]
>> +
>> +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
>> +---
>> + lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
>> + 1 file changed, 82 insertions(+), 5 deletions(-)
>> +
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -935,6 +935,18 @@ ConnectionExists(struct Curl_easy *data,
>> + bool wantProxyNTLMhttp = FALSE;
>> + #endif
>> + #endif
>> ++
>> ++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
>> ++ bool wantNegohttp =
>> ++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
>> ++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
>> ++#ifndef CURL_DISABLE_PROXY
>> ++ bool wantProxyNegohttp =
>> ++ needle->bits.proxy_user_passwd &&
>> ++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
>> ++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
>> ++#endif
>> ++#endif
>> + /* plain HTTP with upgrade */
>> + bool h2upgrade = (data->state.httpwant == CURL_HTTP_VERSION_2_0) &&
>> + (needle->handler->protocol & CURLPROTO_HTTP);
>> +@@ -1272,6 +1284,56 @@ ConnectionExists(struct Curl_easy *data,
>> + }
>> + #endif
>> +
>> ++#ifdef USE_SPNEGO
>> ++ /* If we are looking for an HTTP+Negotiate connection, check if this is
>> ++ already authenticating with the right credentials. If not, keep looking
>> ++ so that we can reuse Negotiate connections if possible. */
>> ++ if(wantNegohttp) {
>> ++ if(Curl_timestrcmp(needle->user, check->user) ||
>> ++ Curl_timestrcmp(needle->passwd, check->passwd))
>> ++ continue;
>> ++ }
>> ++ else if(check->http_negotiate_state != GSS_AUTHNONE) {
>> ++ /* Connection is using Negotiate auth but we do not want Negotiate */
>> ++ continue;
>> ++ }
>> ++
>> ++#ifndef CURL_DISABLE_PROXY
>> ++ /* Same for Proxy Negotiate authentication */
>> ++ if(wantProxyNegohttp) {
>> ++ /* Both check->http_proxy.user and check->http_proxy.passwd can be
>> ++ * NULL */
>> ++ if(!check->http_proxy.user || !check->http_proxy.passwd)
>> ++ continue;
>> ++
>> ++ if(Curl_timestrcmp(needle->http_proxy.user,
>> ++ check->http_proxy.user) ||
>> ++ Curl_timestrcmp(needle->http_proxy.passwd,
>> ++ check->http_proxy.passwd))
>> ++ continue;
>> ++ }
>> ++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
>> ++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */
>> ++ continue;
>> ++ }
>> ++#endif
>> ++ if(wantNTLMhttp || wantProxyNTLMhttp) {
>> ++ /* Credentials are already checked, we may use this connection. We MUST
>> ++ * use a connection where it has already been fully negotiated. If it has
>> ++ * not, we keep on looking for a better one. */
>> ++ chosen = check;
>> ++ if((wantNegohttp &&
>> ++ (check->http_negotiate_state != GSS_AUTHNONE)) ||
>> ++ (wantProxyNegohttp &&
>> ++ (check->proxy_negotiate_state != GSS_AUTHNONE))) {
>> ++ /* We must use this connection, no other */
>> ++ *force_reuse = TRUE;
>> ++ break;
>> ++ }
>> ++ continue; /* get another */
>> ++ }
>> ++#endif
>> ++
>> + if(CONN_INUSE(check)) {
>> + DEBUGASSERT(canmultiplex);
>> + DEBUGASSERT(check->bits.multiplex);
>> diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
>> new file mode 100644
>> index 0000000000..1fdb658f23
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch
>> @@ -0,0 +1,30 @@
>> +Backport of:
>> +
>> +From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
>> +From: Daniel Stenberg <daniel@haxx.se>
>> +Date: Sat, 21 Feb 2026 18:11:41 +0100
>> +Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
>> +
>> +Follow-up to 34fa034
>> +Reported-by: dahmono on github
>> +Closes #20662
>> +
>> +CVE: CVE-2026-1965
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70]
>> +
>> +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
>> +---
>> + lib/url.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -1317,7 +1317,7 @@ ConnectionExists(struct Curl_easy *data,
>> + continue;
>> + }
>> + #endif
>> +- if(wantNTLMhttp || wantProxyNTLMhttp) {
>> ++ if(wantNegohttp || wantProxyNegohttp) {
>> + /* Credentials are already checked, we may use this connection. We MUST
>> + * use a connection where it has already been fully negotiated. If it has
>> + * not, we keep on looking for a better one. */
>> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
>> index 9e37684b2c..e2f6f8472f 100644
>> --- a/meta/recipes-support/curl/curl_8.7.1.bb
>> +++ b/meta/recipes-support/curl/curl_8.7.1.bb
>> @@ -32,6 +32,8 @@ SRC_URI = " \
>> file://CVE-2025-14819.patch \
>> file://CVE-2025-15079.patch \
>> file://CVE-2025-15224.patch \
>> + file://CVE-2026-1965_p1.patch \
>> + file://CVE-2026-1965_p2.patch \
>> "
>>
>> SRC_URI:append:class-nativesdk = " \
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-27 17:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-26 4:46 [OE-core][scarthgap][PATCH 1/1] curl: fix CVE-2026-1965 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-26 10:00 ` [OE-core][scarthgap][PATCH v2 1/3] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-27 17:05 ` Yoann Congal
2026-03-27 17:08 ` Yoann Congal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox