Re: [OE-core][kirkstone][PATCH v2 2/4] curl: patch CVE-2026-1965

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: "Yoann Congal" <yoann.congal@smile.fr>
To: <vanusuri@mvista.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][kirkstone][PATCH v2 2/4] curl: patch CVE-2026-1965
Date: Mon, 06 Apr 2026 01:00:21 +0200	[thread overview]
Message-ID: <DHLLF032FZNH.11L4QM7EJC5RQ@smile.fr> (raw)
In-Reply-To: <20260321094723.273058-2-vanusuri@mvista.com>

On Sat Mar 21, 2026 at 10:47 AM CET, Vijay Anusuri via lists.openembedded.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> pick patches from ubuntu per [1]
>
> [1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
> [2] https://ubuntu.com/security/CVE-2026-1965
> [3] https://curl.se/docs/CVE-2026-1965.html
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>

Hello,

Patches 2-4/4 of this series look good but they are needed on scarthgap,
they where sent but broke ptests:
https://lore.kernel.org/openembedded-core/20260326044647.2001828-3-sudumbha@cisco.com/T/#mc969f24be8b39369604b1de445f2af5e38bac083

I'll proceed with review but can only merge them if the equivalent
series is fixed on scarthgap.

Maybe you can help/fix the scarthgap series?

Thanks,

> ---
>  .../curl/curl/CVE-2026-1965-1.patch           | 98 +++++++++++++++++++
>  .../curl/curl/CVE-2026-1965-2.patch           | 29 ++++++
>  meta/recipes-support/curl/curl_7.82.0.bb      |  2 +
>  3 files changed, 129 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
> new file mode 100644
> index 0000000000..1d0f5c59e8
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
> @@ -0,0 +1,98 @@
> +From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 5 Feb 2026 08:34:21 +0100
> +Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
> +
> +Assume Negotiate means connection-based
> +
> +Reported-by: Zhicheng Chen
> +Closes #20534
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd6]
> +Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
> +
> +CVE: CVE-2026-1965
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
> + 1 file changed, 82 insertions(+), 5 deletions(-)
> +
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -1145,6 +1145,18 @@ ConnectionExists(struct Curl_easy *data,
> + #endif
> + #endif
> + 
> ++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
> ++  bool wantNegohttp =
> ++    (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
> ++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
> ++#ifndef CURL_DISABLE_PROXY
> ++  bool wantProxyNegohttp =
> ++    needle->bits.proxy_user_passwd &&
> ++    (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
> ++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
> ++#endif
> ++#endif
> ++
> +   *force_reuse = FALSE;
> +   *waitpipe = FALSE;
> + 
> +@@ -1496,6 +1508,57 @@ ConnectionExists(struct Curl_easy *data,
> +           continue;
> +         }
> + #endif
> ++
> ++#ifdef USE_SPNEGO
> ++  /* If we are looking for an HTTP+Negotiate connection, check if this is
> ++     already authenticating with the right credentials. If not, keep looking
> ++     so that we can reuse Negotiate connections if possible. */
> ++  if(wantNegohttp) {
> ++    if(Curl_timestrcmp(needle->user, check->user) ||
> ++       Curl_timestrcmp(needle->passwd, check->passwd))
> ++      continue;
> ++  }
> ++  else if(check->http_negotiate_state != GSS_AUTHNONE) {
> ++    /* Connection is using Negotiate auth but we do not want Negotiate */
> ++    continue;
> ++  }
> ++
> ++#ifndef CURL_DISABLE_PROXY
> ++  /* Same for Proxy Negotiate authentication */
> ++  if(wantProxyNegohttp) {
> ++    /* Both check->http_proxy.user and check->http_proxy.passwd can be
> ++     * NULL */
> ++    if(!check->http_proxy.user || !check->http_proxy.passwd)
> ++      continue;
> ++
> ++    if(Curl_timestrcmp(needle->http_proxy.user,
> ++                       check->http_proxy.user) ||
> ++       Curl_timestrcmp(needle->http_proxy.passwd,
> ++                       check->http_proxy.passwd))
> ++      continue;
> ++  }
> ++  else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
> ++    /* Proxy connection is using Negotiate auth but we do not want Negotiate */
> ++    continue;
> ++  }
> ++#endif
> ++  if(wantNTLMhttp || wantProxyNTLMhttp) {
> ++    /* Credentials are already checked, we may use this connection. We MUST
> ++     * use a connection where it has already been fully negotiated. If it has
> ++     * not, we keep on looking for a better one. */
> ++    chosen = check;
> ++    if((wantNegohttp &&
> ++        (check->http_negotiate_state != GSS_AUTHNONE)) ||
> ++       (wantProxyNegohttp &&
> ++        (check->proxy_negotiate_state != GSS_AUTHNONE))) {
> ++      /* We must use this connection, no other */
> ++      *force_reuse = TRUE;
> ++      break;
> ++    }
> ++    continue; /* get another */
> ++  }
> ++#endif
> ++
> +         if(canmultiplex) {
> +           /* We can multiplex if we want to. Let's continue looking for
> +              the optimal connection to use. */
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
> new file mode 100644
> index 0000000000..fa5fefd251
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
> @@ -0,0 +1,29 @@
> +From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sat, 21 Feb 2026 18:11:41 +0100
> +Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
> +
> +Follow-up to 34fa034
> +Reported-by: dahmono on github
> +Closes #20662
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990]
> +Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
> +
> +CVE: CVE-2026-1965
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/url.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -1542,7 +1542,7 @@ ConnectionExists(struct Curl_easy *data,
> +     continue;
> +   }
> + #endif
> +-  if(wantNTLMhttp || wantProxyNTLMhttp) {
> ++  if(wantNegohttp || wantProxyNegohttp) {
> +     /* Credentials are already checked, we may use this connection. We MUST
> +      * use a connection where it has already been fully negotiated. If it has
> +      * not, we keep on looking for a better one. */
> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> index b8fa8b5266..0e107f1e75 100644
> --- a/meta/recipes-support/curl/curl_7.82.0.bb
> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> @@ -71,6 +71,8 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>             file://CVE-2025-15079.patch \
>             file://CVE-2025-15224.patch \
>             file://CVE-2025-14524.patch \
> +           file://CVE-2026-1965-1.patch \
> +           file://CVE-2026-1965-2.patch \
>             "
>  SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>  


-- 
Yoann Congal
Smile ECS

next prev parent reply	other threads:[~2026-04-05 23:00 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-21  9:47 [OE-core][kirkstone][PATCH v2 1/4] curl: patch CVE-2025-14524 vanusuri
2026-03-21  9:47 ` [OE-core][kirkstone][PATCH v2 2/4] curl: patch CVE-2026-1965 vanusuri
2026-04-05 23:00   ` Yoann Congal [this message]
2026-03-21  9:47 ` [OE-core][kirkstone][PATCH v2 3/4] curl: patch CVE-2026-3783 vanusuri
2026-03-21  9:47 ` [OE-core][kirkstone][PATCH v2 4/4] curl: patch CVE-2026-3784 vanusuri

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DHLLF032FZNH.11L4QM7EJC5RQ@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=vanusuri@mvista.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox