Openembedded Core Discussions
 help / color / mirror / Atom feed
From: "Yoann Congal" <yoann.congal@smile.fr>
To: <adongare@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>
Subject: Re: [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429
Date: Fri, 03 Jul 2026 11:38:36 +0200	[thread overview]
Message-ID: <DJOU3MGL8GSH.27D0R685LL2P1@smile.fr> (raw)
In-Reply-To: <20260629131453.1077612-5-adongare@cisco.com>

On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Backport the upstream fix [1] for the netrc credential leak on redirect
> described in [2] and tracked by [3].
>
> [1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
> [2] https://curl.se/docs/CVE-2026-6429.html
> [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
>  .../curl/curl/CVE-2026-6429.patch             | 362 ++++++++++++++++++
>  meta/recipes-support/curl/curl_8.19.0.bb      |   1 +
>  2 files changed, 363 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> new file mode 100644
> index 0000000000..f4398e00f6
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> @@ -0,0 +1,362 @@
> +From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 16 Apr 2026 14:26:20 +0200
> +Subject: [PATCH] http: clear credentials better on redirect
> +
> +Verify with test 2506: netrc with redirect using proxy
> +
> +Updated test 998 which was wrong.
> +
> +Reported-by: Muhamad Arga Reksapati
> +
> +Closes #21345
> +
> +CVE: CVE-2026-6429
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306]
> +
> +Backport Changes:
> +- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin comparison is kept inline in Curl_http_follow().
> +- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement for the wrynose test lists.
> +
> +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + lib/http.c                 | 121 +++++++++++++++++++------------------
> + tests/data/Makefile.am     |   2 +-
> + tests/data/test2506        |  64 ++++++++++++++++++++
> + tests/data/test998         |   1 -
> + tests/libtest/Makefile.inc |   2 +-
> + tests/libtest/lib2506.c    |  71 ++++++++++++++++++++++
> + 6 files changed, 198 insertions(+), 63 deletions(-)
> + create mode 100644 tests/data/test2506
> + create mode 100644 tests/libtest/lib2506.c
> +
> +diff --git a/lib/http.c b/lib/http.c
> +index b960d79..9ac96ad 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
> +       return CURLE_OUT_OF_MEMORY;
> +   }
> +   else {
> +-    uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> +-    if(uc)
> +-      return Curl_uc_to_curlcode(uc);
> +-
> +-    /* Clear auth if this redirects to a different port number or protocol,
> +-       unless permitted */
> +-    if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
> +-      int port;
> +-      bool clear = FALSE;
> ++    bool same_origin;
> ++    CURLcode result;
> ++    CURLU *u = curl_url();
> ++    char *oldscheme = NULL;
> ++    char *oldhost = NULL;
> ++    char *oldport = NULL;
> ++    char *newscheme = NULL;
> ++    char *newhost = NULL;
> ++    char *newport = NULL;
> ++    if(!u)
> ++      return CURLE_OUT_OF_MEMORY;
> + 
> +-      if(data->set.use_port && data->state.allow_port)
> +-        /* a custom port is used */
> +-        port = (int)data->set.use_port;
> +-      else {
> +-        curl_off_t value;
> +-        char *portnum;
> +-        const char *p;
> +-        uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
> +-                          CURLU_DEFAULT_PORT);
> +-        if(uc) {
> +-          curlx_free(follow_url);
> +-          return Curl_uc_to_curlcode(uc);
> +-        }
> +-        p = portnum;
> +-        curlx_str_number(&p, &value, 0xffff);
> +-        port = (int)value;
> +-        curlx_free(portnum);
> +-      }
> +-      if(port != data->info.conn_remote_port) {
> +-        infof(data, "Clear auth, redirects to port from %u to %u",
> +-              data->info.conn_remote_port, port);
> +-        clear = TRUE;
> +-      }
> +-      else {
> +-        char *scheme;
> +-        const struct Curl_scheme *p;
> +-        uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
> +-        if(uc) {
> +-          curlx_free(follow_url);
> +-          return Curl_uc_to_curlcode(uc);
> +-        }
> ++    uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
> ++                      CURLU_URLENCODE | CURLU_ALLOW_SPACE);
> ++    if(!uc)
> ++      uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT);
> ++    if(!uc)
> ++      uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport,
> ++                        CURLU_DEFAULT_PORT);
> ++    if(uc) {
> ++      curl_url_cleanup(u);
> ++      curlx_free(oldscheme);
> ++      curlx_free(oldhost);
> ++      curlx_free(oldport);
> ++      curlx_free(newscheme);
> ++      curlx_free(newhost);
> ++      curlx_free(newport);
> ++      curlx_free(follow_url);
> ++      return Curl_uc_to_curlcode(uc);
> ++    }
> + 
> +-        p = Curl_get_scheme(scheme);
> +-        if(p && (p->protocol != data->info.conn_protocol)) {
> +-          infof(data, "Clear auth, redirects scheme from %s to %s",
> +-                data->info.conn_scheme, scheme);
> +-          clear = TRUE;
> +-        }
> +-        curlx_free(scheme);
> +-      }
> +-      if(clear) {
> +-        CURLcode result = Curl_reset_userpwd(data);
> +-        if(result) {
> +-          curlx_free(follow_url);
> +-          return result;
> +-        }
> +-        Curl_safefree(data->state.aptr.user);
> +-        Curl_safefree(data->state.aptr.passwd);
> ++    same_origin = strcasecompare(oldscheme, newscheme) &&
> ++                  strcasecompare(oldhost, newhost) &&
> ++                  !strcmp(oldport, newport);

That code (which is not in the upstream patch) failed to build on my
machine:
$ bitbake curl-native
| ../../sources/curl-8.19.0/lib/http.c:1245:19: error: implicit declaration of function ‘strcasecompare’; did you mean ‘strcasecmp_l’? [-Wimplicit-function-declaration]
|  1245 |     same_origin = strcasecompare(oldscheme, newscheme) &&
|       |                   ^~~~~~~~~~~~~~
|       |                   strcasecmp_l

Can you check please?

Thanks!
-- 
Yoann Congal
Smile ECS



  reply	other threads:[~2026-07-03  9:38 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03  8:55   ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03  9:38   ` Yoann Congal [this message]
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJOU3MGL8GSH.27D0R685LL2P1@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=adongare@cisco.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=xe-linux-external@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox