From: "Yoann Congal" <yoann.congal@smile.fr>
To: <jaipaul.cheernam@est.tech>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [wrynose][PATCH v3] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
Date: Fri, 03 Jul 2026 10:50:32 +0200 [thread overview]
Message-ID: <DJOT2TN5WGAT.3LHSPDSQB54O3@smile.fr> (raw)
In-Reply-To: <20260624075504.63472-1-jaipaul.cheernam@est.tech>
On Wed Jun 24, 2026 at 9:55 AM CEST, Jaipaul Cheernam via lists.openembedded.org wrote:
> Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
> connection pooling. Without this, a second SMB request to the same
> host reuses a connection authenticated for a different share.
>
> Reference: https://curl.se/docs/CVE-2026-5773.html
>
> Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> ---
> .../curl/curl/CVE-2026-5773.patch | 48 +++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
Hello,
This patch does not apply cleanly on the lastest origin/wrynose:
commit 5d1aa5c806c0 ("build-appliance-image: Update to wrynose head revisions")):
| $ bitbake -cpatch curl
| [...]
| ERROR: curl-8.19.0-r0 do_patch: QA Issue: Fuzz detected:
|
| Applying patch CVE-2026-5773.patch
| patching file lib/smb.c
| Hunk #2 succeeded at 1259 with fuzz 1.
|
|
| The context lines in the patches can be updated with devtool:
|
| devtool modify curl
| devtool finish --force-patch-refresh curl <layer_path>
|
| Don't forget to review changes done by devtool!
|
| Patch log indicates that patches do not apply cleanly. [patch-fuzz]
| ERROR: curl-8.19.0-r0 do_patch: Fatal QA errors were found, failing task.
Can you rebase and send a v4?
Thanks!
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> new file mode 100644
> index 0000000000..970e04b33f
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> @@ -0,0 +1,48 @@
> +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sun, 5 Apr 2026 18:23:35 +0200
> +Subject: [PATCH] protocol: disable connection reuse for SMB(S)
> +
> +Connections should only be reused when using the same "share" (and
> +perhaps some additional conditions), but instead of fixing this flaw,
> +this change completely disables connection reuse for SMB. This protocol
> +is about to get dropped soon anyway.
> +
> +Reported-by: Osama Hamad
> +Closes #21238
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +
> +CVE: CVE-2026-5773
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
> +
> +Note: The upstream fix targets lib/protocol.c which was introduced in
> +curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
> +so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
> +identical: SMB connections are no longer pooled for reuse.
> +
> +Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> +---
> + lib/smb.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/smb.c b/lib/smb.c
> +index ccd4f3f69d..2a9f08388f 100644
> +--- a/lib/smb.c
> ++++ b/lib/smb.c
> +@@ -1242,7 +1242,7 @@
> + #endif
> + CURLPROTO_SMB, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_NONE, /* flags */
> + PORT_SMB, /* defport */
> + };
> +
> +@@ -1259,7 +1259,7 @@
> + #endif
> + CURLPROTO_SMBS, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_SSL, /* flags */
> + PORT_SMBS, /* defport */
> + };
> diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
> index d58b774011..3326f478b5 100644
> --- a/meta/recipes-support/curl/curl_8.19.0.bb
> +++ b/meta/recipes-support/curl/curl_8.19.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = " \
> file://disable-tests \
> file://no-test-timeout.patch \
> file://CVE-2026-6276.patch \
> + file://CVE-2026-5773.patch \
> file://mbedtls.patch \
> "
>
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-07-03 8:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
2026-06-23 21:24 ` [OE-core] " Yoann Congal
2026-06-24 7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
2026-07-03 8:50 ` Yoann Congal [this message]
2026-07-03 9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
2026-07-05 22:03 ` [OE-core] " Yoann Congal
2026-07-06 8:11 ` Jaipaul Cheernam
2026-07-06 8:14 ` [wrynose][PATCH v5] " Jaipaul Cheernam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJOT2TN5WGAT.3LHSPDSQB54O3@smile.fr \
--to=yoann.congal@smile.fr \
--cc=jaipaul.cheernam@est.tech \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox