Openembedded Core Discussions
 help / color / mirror / Atom feed
From: "Yoann Congal" <yoann.congal@smile.fr>
To: <jaipaul.cheernam@est.tech>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
Date: Tue, 23 Jun 2026 23:24:41 +0200	[thread overview]
Message-ID: <DJGQUSMET3EE.3CPQM4DH7D357@smile.fr> (raw)
In-Reply-To: <20260623120850.29881-1-jaipaul.cheernam@est.tech>

Hello,

On Tue Jun 23, 2026 at 2:08 PM CEST, Jaipaul Cheernam via lists.openembedded.org wrote:
> Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
> connection pooling. Without this, a second SMB request to the same
> host reuses a connection authenticated for a different share.

In the commit message, you should justify why the patch you trying to
merge does indeed fix the CVE. You can use NVD, Debian security tracker
or upstream as easy/natural reference (but other may be accepted). In
this case, all 3 point to your patch so you can choose. You can look at
other CVE fixing patches to get examples.

>
> Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> ---


>  .../curl/curl/CVE-2026-5773.patch             | 44 +++++++++++++++++++
>  meta/recipes-support/curl/curl_8.19.0.bb      |  1 +
>  2 files changed, 45 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> new file mode 100644
> index 0000000000..c2984de5ff
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> @@ -0,0 +1,44 @@
> +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sun, 5 Apr 2026 18:23:35 +0200
> +Subject: [PATCH] smb: disable connection reuse
> +
> +Connections should only be reused when using the same "share" (and
> +perhaps some additional conditions), but instead of fixing this flaw,
> +this change completely disables connection reuse for SMB.
> +
> +Reported-by: Osama Hamad
> +Closes #21238
> +
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +
> +CVE: CVE-2026-5773
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
> +
> +(cherry picked from commit 74a169575d6412dc0ff532acdf94de35a6c2a571)
    ^ that "cherry picked" line has no use here. You can remove it.

This patch is a little different from the upstream patch:
* Not the same file patched: please add a note explaining the changes
  and why you did them.
* Also, the patch message was edited: we don't usualy do this: If you
  need to add info/context keep them in a note section you add to the
  patch message. e.g between Upstream-Status and your Signed-off-by.


With that fixed, ht epatch should be good to go, thanks!

> +Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> +---
> + lib/smb.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/smb.c b/lib/smb.c
> +index ccd4f3f69d..2a9f08388f 100644
> +--- a/lib/smb.c
> ++++ b/lib/smb.c
> +@@ -1242,7 +1242,7 @@
> + #endif
> +   CURLPROTO_SMB,                        /* protocol */
> +   CURLPROTO_SMB,                        /* family */
> +-  PROTOPT_CONN_REUSE,                   /* flags */
> ++  PROTOPT_NONE,                         /* flags */
> +   PORT_SMB,                             /* defport */
> + };
> + 
> +@@ -1259,7 +1259,7 @@
> + #endif
> +   CURLPROTO_SMBS,                       /* protocol */
> +   CURLPROTO_SMB,                        /* family */
> +-  PROTOPT_SSL | PROTOPT_CONN_REUSE,     /* flags */
> ++  PROTOPT_SSL,                          /* flags */
> +   PORT_SMBS,                            /* defport */
> + };
> diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
> index d58b774011..3326f478b5 100644
> --- a/meta/recipes-support/curl/curl_8.19.0.bb
> +++ b/meta/recipes-support/curl/curl_8.19.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = " \
>      file://disable-tests \
>      file://no-test-timeout.patch \
>      file://CVE-2026-6276.patch \
> +    file://CVE-2026-5773.patch \
>      file://mbedtls.patch \
>  "
>  


-- 
Yoann Congal
Smile ECS



  reply	other threads:[~2026-06-23 21:24 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
2026-06-23 21:24 ` Yoann Congal [this message]
2026-06-24  7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
2026-07-03  8:50   ` [OE-core] " Yoann Congal
2026-07-03  9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
2026-07-05 22:03   ` [OE-core] " Yoann Congal
2026-07-06  8:11     ` Jaipaul Cheernam
2026-07-06  8:14 ` [wrynose][PATCH v5] " Jaipaul Cheernam

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJGQUSMET3EE.3CPQM4DH7D357@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=jaipaul.cheernam@est.tech \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox