From: "Yoann Congal" <yoann.congal@smile.fr>
To: <adongare@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>
Subject: Re: [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429
Date: Fri, 03 Jul 2026 11:38:36 +0200 [thread overview]
Message-ID: <DJOU3MGL8GSH.27D0R685LL2P1@smile.fr> (raw)
In-Reply-To: <20260629131453.1077612-5-adongare@cisco.com>
On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Backport the upstream fix [1] for the netrc credential leak on redirect
> described in [2] and tracked by [3].
>
> [1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
> [2] https://curl.se/docs/CVE-2026-6429.html
> [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
> .../curl/curl/CVE-2026-6429.patch | 362 ++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 363 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> new file mode 100644
> index 0000000000..f4398e00f6
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> @@ -0,0 +1,362 @@
> +From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 16 Apr 2026 14:26:20 +0200
> +Subject: [PATCH] http: clear credentials better on redirect
> +
> +Verify with test 2506: netrc with redirect using proxy
> +
> +Updated test 998 which was wrong.
> +
> +Reported-by: Muhamad Arga Reksapati
> +
> +Closes #21345
> +
> +CVE: CVE-2026-6429
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306]
> +
> +Backport Changes:
> +- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin comparison is kept inline in Curl_http_follow().
> +- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement for the wrynose test lists.
> +
> +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + lib/http.c | 121 +++++++++++++++++++------------------
> + tests/data/Makefile.am | 2 +-
> + tests/data/test2506 | 64 ++++++++++++++++++++
> + tests/data/test998 | 1 -
> + tests/libtest/Makefile.inc | 2 +-
> + tests/libtest/lib2506.c | 71 ++++++++++++++++++++++
> + 6 files changed, 198 insertions(+), 63 deletions(-)
> + create mode 100644 tests/data/test2506
> + create mode 100644 tests/libtest/lib2506.c
> +
> +diff --git a/lib/http.c b/lib/http.c
> +index b960d79..9ac96ad 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
> + return CURLE_OUT_OF_MEMORY;
> + }
> + else {
> +- uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> +- if(uc)
> +- return Curl_uc_to_curlcode(uc);
> +-
> +- /* Clear auth if this redirects to a different port number or protocol,
> +- unless permitted */
> +- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
> +- int port;
> +- bool clear = FALSE;
> ++ bool same_origin;
> ++ CURLcode result;
> ++ CURLU *u = curl_url();
> ++ char *oldscheme = NULL;
> ++ char *oldhost = NULL;
> ++ char *oldport = NULL;
> ++ char *newscheme = NULL;
> ++ char *newhost = NULL;
> ++ char *newport = NULL;
> ++ if(!u)
> ++ return CURLE_OUT_OF_MEMORY;
> +
> +- if(data->set.use_port && data->state.allow_port)
> +- /* a custom port is used */
> +- port = (int)data->set.use_port;
> +- else {
> +- curl_off_t value;
> +- char *portnum;
> +- const char *p;
> +- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
> +- CURLU_DEFAULT_PORT);
> +- if(uc) {
> +- curlx_free(follow_url);
> +- return Curl_uc_to_curlcode(uc);
> +- }
> +- p = portnum;
> +- curlx_str_number(&p, &value, 0xffff);
> +- port = (int)value;
> +- curlx_free(portnum);
> +- }
> +- if(port != data->info.conn_remote_port) {
> +- infof(data, "Clear auth, redirects to port from %u to %u",
> +- data->info.conn_remote_port, port);
> +- clear = TRUE;
> +- }
> +- else {
> +- char *scheme;
> +- const struct Curl_scheme *p;
> +- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
> +- if(uc) {
> +- curlx_free(follow_url);
> +- return Curl_uc_to_curlcode(uc);
> +- }
> ++ uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
> ++ CURLU_URLENCODE | CURLU_ALLOW_SPACE);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport,
> ++ CURLU_DEFAULT_PORT);
> ++ if(uc) {
> ++ curl_url_cleanup(u);
> ++ curlx_free(oldscheme);
> ++ curlx_free(oldhost);
> ++ curlx_free(oldport);
> ++ curlx_free(newscheme);
> ++ curlx_free(newhost);
> ++ curlx_free(newport);
> ++ curlx_free(follow_url);
> ++ return Curl_uc_to_curlcode(uc);
> ++ }
> +
> +- p = Curl_get_scheme(scheme);
> +- if(p && (p->protocol != data->info.conn_protocol)) {
> +- infof(data, "Clear auth, redirects scheme from %s to %s",
> +- data->info.conn_scheme, scheme);
> +- clear = TRUE;
> +- }
> +- curlx_free(scheme);
> +- }
> +- if(clear) {
> +- CURLcode result = Curl_reset_userpwd(data);
> +- if(result) {
> +- curlx_free(follow_url);
> +- return result;
> +- }
> +- Curl_safefree(data->state.aptr.user);
> +- Curl_safefree(data->state.aptr.passwd);
> ++ same_origin = strcasecompare(oldscheme, newscheme) &&
> ++ strcasecompare(oldhost, newhost) &&
> ++ !strcmp(oldport, newport);
That code (which is not in the upstream patch) failed to build on my
machine:
$ bitbake curl-native
| ../../sources/curl-8.19.0/lib/http.c:1245:19: error: implicit declaration of function ‘strcasecompare’; did you mean ‘strcasecmp_l’? [-Wimplicit-function-declaration]
| 1245 | same_origin = strcasecompare(oldscheme, newscheme) &&
| | ^~~~~~~~~~~~~~
| | strcasecmp_l
Can you check please?
Thanks!
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-07-03 9:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 8:55 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 9:38 ` Yoann Congal [this message]
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJOU3MGL8GSH.27D0R685LL2P1@smile.fr \
--to=yoann.congal@smile.fr \
--cc=adongare@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox