* [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873
@ 2026-06-29 13:14 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (4 more replies)
0 siblings, 5 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
- CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with
clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required
transfer.
- In wrynose, these protocols are optional PACKAGECONFIG entries and are not
enabled by default in curl_8.19.0.bb, so record this CVE as configuration-not-applicable
for the default recipe configuration.
Reference:
- https://curl.se/docs/CVE-2026-4873.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-4873
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..41e6888977 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -27,6 +27,7 @@ SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d33
# Curl has used many names over the years...
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack"
+CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}"
inherit autotools pkgconfig binconfig multilib_header ptest
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (3 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Backport the upstream fix [1] for the Negotiate-authenticated connection
reuse issue described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd
[2] https://curl.se/docs/CVE-2026-5545.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-5545
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
.../curl/curl/CVE-2026-5545.patch | 46 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5545.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5545.patch b/meta/recipes-support/curl/curl/CVE-2026-5545.patch
new file mode 100644
index 0000000000..86a63c6738
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5545.patch
@@ -0,0 +1,46 @@
+From 33e43985b8f3b9e66691d06e70be0395849856cd Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Thu, 2 Apr 2026 11:33:39 +0200
+Subject: [PATCH] url: improve connection reuse on negotiate
+
+Check state of negotiate to allow proper connection reuse.
+
+Closes #21203
+
+CVE: CVE-2026-5545
+Upstream-Status: Backport [https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd]
+
+(cherry picked from commit 33e43985b8f3b9e66691d06e70be0395849856cd)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/url.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index b9e308a..7c24f1a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1110,11 +1110,17 @@ static bool url_match_auth_ntlm(struct connectdata *conn,
+ if(m->want_ntlm_http) {
+ if(Curl_timestrcmp(m->needle->user, conn->user) ||
+ Curl_timestrcmp(m->needle->passwd, conn->passwd)) {
+-
+ /* we prefer a credential match, but this is at least a connection
+- that can be reused and "upgraded" to NTLM */
+- if(conn->http_ntlm_state == NTLMSTATE_NONE)
++ that can be reused and "upgraded" to NTLM if it does
++ not have any auth ongoing. */
++#ifdef USE_SPNEGO
++ if((conn->http_ntlm_state == NTLMSTATE_NONE)
++ && (conn->http_negotiate_state == GSS_AUTHNONE)) {
++#else
++ if(conn->http_ntlm_state == NTLMSTATE_NONE) {
++#endif
+ m->found = conn;
++ }
+ return FALSE;
+ }
+ }
+--
+2.43.7
+
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 41e6888977..2b1bc40e37 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5545.patch \
file://mbedtls.patch \
"
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 8:55 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (2 subsequent siblings)
4 siblings, 1 reply; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
- CVE-2026-5773 affects curl before 8.20.0 when an authenticated SMB connection
can be reused for a different set of credentials.
- In wrynose, SMB support is available only through PACKAGECONFIG[smb] and is not
enabled by default, so record this CVE as configuration-not-applicable for the
default recipe configuration.
Reference:
- https://curl.se/docs/CVE-2026-5773.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-5773
- https://github.com/openembedded/openembedded-core/blob/wrynose/meta/recipes-support/curl/curl_8.19.0.bb
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 2b1bc40e37..5580791ec8 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -29,6 +29,7 @@ SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d33
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack"
CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}"
+CVE_STATUS[CVE-2026-5773] = "${@bb.utils.contains('PACKAGECONFIG', 'smb', 'unpatched', 'not-applicable-config: smb support is not enabled in PACKAGECONFIG', d)}"
inherit autotools pkgconfig binconfig multilib_header ptest
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
4 siblings, 0 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Backport the upstream fix [1] for the proxy credential leak on redirect
described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f
[2] https://curl.se/docs/CVE-2026-6253.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-6253
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
.../curl/curl/CVE-2026-6253.patch | 392 ++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 393 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6253.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-6253.patch b/meta/recipes-support/curl/curl/CVE-2026-6253.patch
new file mode 100644
index 0000000000..3923ba9372
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-6253.patch
@@ -0,0 +1,392 @@
+From 188c2f166a20fa97c2325b2da7d0e5cecc13725f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 13 Apr 2026 17:17:23 +0200
+Subject: [PATCH] http: clear the proxy credentials as well on port or scheme
+ change
+
+Add tests 2009-2011 to verify switching between proxies with credentials
+when the switch is driven by a redirect
+
+Reported-by: Dwij Mehta
+
+Closes #21304
+
+CVE: CVE-2026-6253
+Upstream-Status: Backport [https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f]
+
+Backport Changes:
+- Adapted the redirect credential reset hunk to curl 8.19.0 Curl_http_follow() after the existing wrynose CVE-2026-6276 backport.
+- Adapted tests/data/Makefile.am placement for the wrynose test list.
+
+(cherry picked from commit 188c2f166a20fa97c2325b2da7d0e5cecc13725f)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/http.c | 12 +++++++
+ lib/transfer.c | 51 +++++++++++++++++++++---------
+ lib/transfer.h | 2 ++
+ tests/data/Makefile.am | 1 +
+ tests/data/test2009 | 70 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test2010 | 71 ++++++++++++++++++++++++++++++++++++++++++
+ tests/data/test2011 | 70 +++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 262 insertions(+), 15 deletions(-)
+ create mode 100644 tests/data/test2009
+ create mode 100644 tests/data/test2010
+ create mode 100644 tests/data/test2011
+
+diff --git a/lib/http.c b/lib/http.c
+index 7ebbdfa..b960d79 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -1252,12 +1252,24 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
+ curlx_free(scheme);
+ }
+ if(clear) {
++ CURLcode result = Curl_reset_userpwd(data);
++ if(result) {
++ curlx_free(follow_url);
++ return result;
++ }
+ Curl_safefree(data->state.aptr.user);
+ Curl_safefree(data->state.aptr.passwd);
+ }
+ }
+ }
+ DEBUGASSERT(follow_url);
++ {
++ CURLcode result = Curl_reset_proxypwd(data);
++ if(result) {
++ curlx_free(follow_url);
++ return result;
++ }
++ }
+
+ if(type == FOLLOW_FAKE) {
+ /* we are only figuring out the new URL if we would have followed locations
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 6dd2f52..af5bee2 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -439,6 +439,40 @@ void Curl_init_CONNECT(struct Curl_easy *data)
+ data->state.upload = (data->state.httpreq == HTTPREQ_PUT);
+ }
+
++/*
++ * Restore the user credentials to those set in options.
++ */
++CURLcode Curl_reset_userpwd(struct Curl_easy *data)
++{
++ CURLcode result;
++ if(data->set.str[STRING_USERNAME] || data->set.str[STRING_PASSWORD])
++ data->state.creds_from = CREDS_OPTION;
++ result = Curl_setstropt(&data->state.aptr.user,
++ data->set.str[STRING_USERNAME]);
++ if(!result)
++ result = Curl_setstropt(&data->state.aptr.passwd,
++ data->set.str[STRING_PASSWORD]);
++ return result;
++}
++
++/*
++ * Restore the proxy credentials to those set in options.
++ */
++CURLcode Curl_reset_proxypwd(struct Curl_easy *data)
++{
++#ifndef CURL_DISABLE_PROXY
++ CURLcode result = Curl_setstropt(&data->state.aptr.proxyuser,
++ data->set.str[STRING_PROXYUSERNAME]);
++ if(!result)
++ result = Curl_setstropt(&data->state.aptr.proxypasswd,
++ data->set.str[STRING_PROXYPASSWORD]);
++ return result;
++#else
++ (void)data;
++ return CURLE_OK;
++#endif
++}
++
+ /*
+ * Curl_pretransfer() is called immediately before a transfer starts, and only
+ * once for one transfer no matter if it has redirects or do multi-pass
+@@ -584,23 +618,10 @@ CURLcode Curl_pretransfer(struct Curl_easy *data)
+ return CURLE_OUT_OF_MEMORY;
+ }
+
+- if(data->set.str[STRING_USERNAME] ||
+- data->set.str[STRING_PASSWORD])
+- data->state.creds_from = CREDS_OPTION;
+ if(!result)
+- result = Curl_setstropt(&data->state.aptr.user,
+- data->set.str[STRING_USERNAME]);
++ result = Curl_reset_userpwd(data);
+ if(!result)
+- result = Curl_setstropt(&data->state.aptr.passwd,
+- data->set.str[STRING_PASSWORD]);
+-#ifndef CURL_DISABLE_PROXY
+- if(!result)
+- result = Curl_setstropt(&data->state.aptr.proxyuser,
+- data->set.str[STRING_PROXYUSERNAME]);
+- if(!result)
+- result = Curl_setstropt(&data->state.aptr.proxypasswd,
+- data->set.str[STRING_PROXYPASSWORD]);
+-#endif
++ result = Curl_reset_proxypwd(data);
+
+ data->req.headerbytecount = 0;
+ Curl_headers_cleanup(data);
+diff --git a/lib/transfer.h b/lib/transfer.h
+index 05a5f89..131e31a 100644
+--- a/lib/transfer.h
++++ b/lib/transfer.h
+@@ -31,6 +31,8 @@ char *Curl_checkheaders(const struct Curl_easy *data,
+
+ void Curl_init_CONNECT(struct Curl_easy *data);
+
++CURLcode Curl_reset_userpwd(struct Curl_easy *data);
++CURLcode Curl_reset_proxypwd(struct Curl_easy *data);
+ CURLcode Curl_pretransfer(struct Curl_easy *data);
+
+ CURLcode Curl_sendrecv(struct Curl_easy *data);
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index da0f8f5..00a5221 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -244,6 +244,7 @@ test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 \
+ test1978 test1979 test1980 test1981 \
+ \
+ test2000 test2001 test2002 test2003 test2004 test2005 test2006 \
++test2009 test2010 test2011 \
+ \
+ test2023 \
+ test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \
+diff --git a/tests/data/test2009 b/tests/data/test2009
+new file mode 100644
+index 0000000..d2fd79e
+--- /dev/null
++++ b/tests/data/test2009
+@@ -0,0 +1,70 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++http_proxy
++</keywords>
++</info>
++# Server-side
++<reply>
++<connect>
++HTTP/1.1 407 Denied
++
++</connect>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Content-Type: text/html
++Location: https://another.example/%TESTNUMBER0002
++
++boo
++</data>
++</reply>
++
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++https
++</server>
++<name>
++proxy credentials via env variables, redirect from http to https
++</name>
++
++<setenv>
++http_proxy=http://user:secret@%HOSTIP:%HTTPPORT
++https_proxy=https://%HOSTIP:%HTTPSPORT/
++</setenv>
++<command>
++http://somewhere.example/ --follow --proxy-insecure
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET http://somewhere.example/ HTTP/1.1
++Host: somewhere.example
++Proxy-Authorization: Basic %b64[user:secret]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++CONNECT another.example:443 HTTP/1.1
++Host: another.example:443
++User-Agent: curl/%VERSION
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<errorcode>
++7
++</errorcode>
++</verify>
++</testcase>
+diff --git a/tests/data/test2010 b/tests/data/test2010
+new file mode 100644
+index 0000000..443ae9d
+--- /dev/null
++++ b/tests/data/test2010
+@@ -0,0 +1,71 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++http_proxy
++</keywords>
++</info>
++# Server-side
++<reply>
++<connect>
++HTTP/1.1 407 Denied
++
++</connect>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Content-Type: text/html
++Location: https://another.example/%TESTNUMBER0002
++
++boo
++</data>
++</reply>
++
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++https
++</server>
++<name>
++proxy credentials via options for two proxies, redirect from http to https
++</name>
++
++<setenv>
++http_proxy=http://%HOSTIP:%HTTPPORT
++https_proxy=https://%HOSTIP:%HTTPSPORT/
++</setenv>
++<command>
++--proxy-user batman:robin http://somewhere.example/ --follow --proxy-insecure
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET http://somewhere.example/ HTTP/1.1
++Host: somewhere.example
++Proxy-Authorization: Basic %b64[batman:robin]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++CONNECT another.example:443 HTTP/1.1
++Host: another.example:443
++Proxy-Authorization: Basic %b64[batman:robin]b64%
++User-Agent: curl/%VERSION
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<errorcode>
++7
++</errorcode>
++</verify>
++</testcase>
+diff --git a/tests/data/test2011 b/tests/data/test2011
+new file mode 100644
+index 0000000..dd4e534
+--- /dev/null
++++ b/tests/data/test2011
+@@ -0,0 +1,70 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++http_proxy
++</keywords>
++</info>
++# Server-side
++<reply>
++<connect>
++HTTP/1.1 407 Denied
++
++</connect>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Content-Type: text/html
++Location: https://another.example/%TESTNUMBER0002
++
++boo
++</data>
++</reply>
++
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++https
++</server>
++<name>
++proxy creds via env, cross-scheme redirect, --location-trusted
++</name>
++
++<setenv>
++http_proxy=http://user:secret@%HOSTIP:%HTTPPORT
++https_proxy=https://%HOSTIP:%HTTPSPORT/
++</setenv>
++<command>
++http://somewhere.example/ --location-trusted --proxy-insecure
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET http://somewhere.example/ HTTP/1.1
++Host: somewhere.example
++Proxy-Authorization: Basic %b64[user:secret]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++CONNECT another.example:443 HTTP/1.1
++Host: another.example:443
++User-Agent: curl/%VERSION
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<errorcode>
++7
++</errorcode>
++</verify>
++</testcase>
+--
+2.43.7
+
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 5580791ec8..09e93c8ce5 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
file://CVE-2026-5545.patch \
+ file://CVE-2026-6253.patch \
file://mbedtls.patch \
"
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (2 preceding siblings ...)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 9:38 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
4 siblings, 1 reply; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Backport the upstream fix [1] for the netrc credential leak on redirect
described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
[2] https://curl.se/docs/CVE-2026-6429.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
.../curl/curl/CVE-2026-6429.patch | 362 ++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 363 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
new file mode 100644
index 0000000000..f4398e00f6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
@@ -0,0 +1,362 @@
+From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2026 14:26:20 +0200
+Subject: [PATCH] http: clear credentials better on redirect
+
+Verify with test 2506: netrc with redirect using proxy
+
+Updated test 998 which was wrong.
+
+Reported-by: Muhamad Arga Reksapati
+
+Closes #21345
+
+CVE: CVE-2026-6429
+Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306]
+
+Backport Changes:
+- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin comparison is kept inline in Curl_http_follow().
+- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement for the wrynose test lists.
+
+(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/http.c | 121 +++++++++++++++++++------------------
+ tests/data/Makefile.am | 2 +-
+ tests/data/test2506 | 64 ++++++++++++++++++++
+ tests/data/test998 | 1 -
+ tests/libtest/Makefile.inc | 2 +-
+ tests/libtest/lib2506.c | 71 ++++++++++++++++++++++
+ 6 files changed, 198 insertions(+), 63 deletions(-)
+ create mode 100644 tests/data/test2506
+ create mode 100644 tests/libtest/lib2506.c
+
+diff --git a/lib/http.c b/lib/http.c
+index b960d79..9ac96ad 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
+ return CURLE_OUT_OF_MEMORY;
+ }
+ else {
+- uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
+- if(uc)
+- return Curl_uc_to_curlcode(uc);
+-
+- /* Clear auth if this redirects to a different port number or protocol,
+- unless permitted */
+- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
+- int port;
+- bool clear = FALSE;
++ bool same_origin;
++ CURLcode result;
++ CURLU *u = curl_url();
++ char *oldscheme = NULL;
++ char *oldhost = NULL;
++ char *oldport = NULL;
++ char *newscheme = NULL;
++ char *newhost = NULL;
++ char *newport = NULL;
++ if(!u)
++ return CURLE_OUT_OF_MEMORY;
+
+- if(data->set.use_port && data->state.allow_port)
+- /* a custom port is used */
+- port = (int)data->set.use_port;
+- else {
+- curl_off_t value;
+- char *portnum;
+- const char *p;
+- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
+- CURLU_DEFAULT_PORT);
+- if(uc) {
+- curlx_free(follow_url);
+- return Curl_uc_to_curlcode(uc);
+- }
+- p = portnum;
+- curlx_str_number(&p, &value, 0xffff);
+- port = (int)value;
+- curlx_free(portnum);
+- }
+- if(port != data->info.conn_remote_port) {
+- infof(data, "Clear auth, redirects to port from %u to %u",
+- data->info.conn_remote_port, port);
+- clear = TRUE;
+- }
+- else {
+- char *scheme;
+- const struct Curl_scheme *p;
+- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
+- if(uc) {
+- curlx_free(follow_url);
+- return Curl_uc_to_curlcode(uc);
+- }
++ uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
++ CURLU_URLENCODE | CURLU_ALLOW_SPACE);
++ if(!uc)
++ uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT);
++ if(!uc)
++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0);
++ if(!uc)
++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0);
++ if(!uc)
++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport,
++ CURLU_DEFAULT_PORT);
++ if(uc) {
++ curl_url_cleanup(u);
++ curlx_free(oldscheme);
++ curlx_free(oldhost);
++ curlx_free(oldport);
++ curlx_free(newscheme);
++ curlx_free(newhost);
++ curlx_free(newport);
++ curlx_free(follow_url);
++ return Curl_uc_to_curlcode(uc);
++ }
+
+- p = Curl_get_scheme(scheme);
+- if(p && (p->protocol != data->info.conn_protocol)) {
+- infof(data, "Clear auth, redirects scheme from %s to %s",
+- data->info.conn_scheme, scheme);
+- clear = TRUE;
+- }
+- curlx_free(scheme);
+- }
+- if(clear) {
+- CURLcode result = Curl_reset_userpwd(data);
+- if(result) {
+- curlx_free(follow_url);
+- return result;
+- }
+- Curl_safefree(data->state.aptr.user);
+- Curl_safefree(data->state.aptr.passwd);
++ same_origin = strcasecompare(oldscheme, newscheme) &&
++ strcasecompare(oldhost, newhost) &&
++ !strcmp(oldport, newport);
++
++ curl_url_cleanup(u);
++ curlx_free(oldscheme);
++ curlx_free(oldhost);
++ curlx_free(oldport);
++ curlx_free(newscheme);
++ curlx_free(newhost);
++ curlx_free(newport);
++
++ if((!same_origin && !data->set.allow_auth_to_other_hosts) ||
++ !data->set.str[STRING_USERNAME]) {
++ result = Curl_reset_userpwd(data);
++ if(result) {
++ curlx_free(follow_url);
++ return result;
+ }
++ Curl_safefree(data->state.aptr.user);
++ Curl_safefree(data->state.aptr.passwd);
+ }
+- }
+- DEBUGASSERT(follow_url);
+- {
+- CURLcode result = Curl_reset_proxypwd(data);
++ result = Curl_reset_proxypwd(data);
+ if(result) {
+ curlx_free(follow_url);
+ return result;
+ }
+ }
++ DEBUGASSERT(follow_url);
+
+ if(type == FOLLOW_FAKE) {
+ /* we are only figuring out the new URL if we would have followed locations
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index 00a5221..1b76b01 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -265,7 +265,7 @@ test2309 \
+ \
+ test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 \
+ \
+-test2500 test2501 test2502 test2503 test2504 \
++test2500 test2501 test2502 test2503 test2504 test2506 \
+ \
+ test2600 test2601 test2602 test2603 test2604 test2605 \
+ \
+diff --git a/tests/data/test2506 b/tests/data/test2506
+new file mode 100644
+index 0000000..9c65002
+--- /dev/null
++++ b/tests/data/test2506
+@@ -0,0 +1,64 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++cookies
++</keywords>
++</info>
++
++<reply>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Content-Length: 3
++Location: http://numbertwo.example/%TESTNUMBER0002
++
++ok
++</data>
++<data2 crlf="headers" nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Content-Length: 4
++
++yes
++</data2>
++</reply>
++
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<tool>
++lib%TESTNUMBER
++</tool>
++<name>
++netrc with redirect using proxy
++</name>
++<file name="%LOGDIR/netrc2506">
++machine site.example login batman password robin
++</file>
++<command>
++http://%HOSTIP:%HTTPPORT http://site.example/ %LOGDIR/netrc2506
++</command>
++</client>
++
++<verify>
++<protocol crlf="headers">
++GET http://site.example/ HTTP/1.1
++Host: site.example
++Authorization: Basic %b64[batman:robin]b64%
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://numbertwo.example/25060002 HTTP/1.1
++Host: numbertwo.example
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test998 b/tests/data/test998
+index 24d1d3d..56dbc0c 100644
+--- a/tests/data/test998
++++ b/tests/data/test998
+@@ -77,7 +77,6 @@ Proxy-Connection: Keep-Alive
+
+ GET http://somewhere.else.example/a/path/9980002 HTTP/1.1
+ Host: somewhere.else.example
+-Authorization: Basic %b64[alberto:einstein]b64%
+ User-Agent: curl/%VERSION
+ Accept: */*
+ Proxy-Connection: Keep-Alive
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 2319baf..2f77c16 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -113,7 +113,7 @@ TESTS_C = \
+ lib2023.c lib2032.c lib2082.c \
+ lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c \
+ lib2402.c lib2404.c lib2405.c \
+- lib2502.c lib2504.c \
++ lib2502.c lib2504.c lib2506.c \
+ lib2700.c \
+ lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c \
+ lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c \
+diff --git a/tests/libtest/lib2506.c b/tests/libtest/lib2506.c
+new file mode 100644
+index 0000000..8b3b342
+--- /dev/null
++++ b/tests/libtest/lib2506.c
+@@ -0,0 +1,71 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Linus Nielsen Feltzing <linus@haxx.se>
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++#include "first.h"
++
++#include "testtrace.h"
++
++static size_t sink2506(char *ptr, size_t size, size_t nmemb, void *ud)
++{
++ (void)ptr;
++ (void)ud;
++ return size * nmemb;
++}
++
++static CURLcode test_lib2506(const char *URL)
++{
++ CURL *curl;
++ CURLcode result = CURLE_OUT_OF_MEMORY;
++
++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
++ curl_mfprintf(stderr, "curl_global_init() failed\n");
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ curl = curl_easy_init();
++ if(!curl) {
++ curl_mfprintf(stderr, "curl_easy_init() failed\n");
++ curl_global_cleanup();
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ test_setopt(curl, CURLOPT_WRITEFUNCTION, sink2506);
++ test_setopt(curl, CURLOPT_PROXY, URL);
++ test_setopt(curl, CURLOPT_URL, libtest_arg2);
++ test_setopt(curl, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
++ test_setopt(curl, CURLOPT_NETRC_FILE, libtest_arg3);
++ test_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
++ test_setopt(curl, CURLOPT_VERBOSE, 1L);
++
++ /* CURLOPT_UNRESTRICTED_AUTH should not make a difference because the
++ credentials come from netrc */
++ test_setopt(curl, CURLOPT_UNRESTRICTED_AUTH, 1L);
++
++ result = curl_easy_perform(curl);
++
++test_cleanup:
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++
++ return result;
++}
+--
+2.43.7
+
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 09e93c8ce5..6c31978519 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
file://CVE-2026-6276.patch \
file://CVE-2026-5545.patch \
file://CVE-2026-6253.patch \
+ file://CVE-2026-6429.patch \
file://mbedtls.patch \
"
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (3 preceding siblings ...)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 13:14 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
4 siblings, 0 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Backport the upstream fix [1] for proxy Digest state reuse across proxy
switches described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507
[2] https://curl.se/docs/CVE-2026-7168.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-7168
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
.../curl/curl/CVE-2026-7168.patch | 375 ++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 376 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-7168.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-7168.patch b/meta/recipes-support/curl/curl/CVE-2026-7168.patch
new file mode 100644
index 0000000000..432dad62c6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-7168.patch
@@ -0,0 +1,375 @@
+From c1cfdf59acbaf9504c4578d4cf56cdd7c8594507 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 27 Apr 2026 09:14:51 +0200
+Subject: [PATCH] setopt: clear proxy auth properties when switching
+
+Verify with test 1588
+
+Closes #21453
+
+CVE: CVE-2026-7168
+Upstream-Status: Backport [https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507]
+
+Backport Changes:
+- Adapted setproxy() insertion and test-list placement to the curl 8.19.0 wrynose layout.
+
+(cherry picked from commit c1cfdf59acbaf9504c4578d4cf56cdd7c8594507)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/setopt.c | 14 +++-
+ lib/vauth/vauth.h | 1 +
+ tests/data/Makefile.am | 2 +-
+ tests/data/test1588 | 106 ++++++++++++++++++++++++++
+ tests/libtest/Makefile.inc | 2 +-
+ tests/libtest/lib1588.c | 150 +++++++++++++++++++++++++++++++++++++
+ 6 files changed, 272 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test1588
+ create mode 100644 tests/libtest/lib1588.c
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 84f3e02..d12ffb6 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -49,6 +49,7 @@
+ #include "curlx/strdup.h"
+ #include "escape.h"
+ #include "bufref.h"
++#include "vauth/vauth.h"
+
+ static CURLcode setopt_set_timeout_sec(timediff_t *ptimeout_ms, long secs)
+ {
+@@ -1664,6 +1665,17 @@ static CURLcode cookiefile(struct Curl_easy *data, const char *ptr)
+ #endif
+
+ #ifndef CURL_DISABLE_PROXY
++static CURLcode setproxy(struct Curl_easy *data, const char *proxy)
++{
++ if((data->set.str[STRING_PROXY] && proxy) &&
++ !strcmp(data->set.str[STRING_PROXY], proxy))
++ return CURLE_OK;
++
++ Curl_auth_digest_cleanup(&data->state.proxydigest);
++ memset(&data->state.authproxy, 0, sizeof(data->state.authproxy));
++ return Curl_setstropt(&data->set.str[STRING_PROXY], proxy);
++}
++
+ static CURLcode setopt_cptr_proxy(struct Curl_easy *data, CURLoption option,
+ const char *ptr)
+ {
+@@ -1759,7 +1771,7 @@ static CURLcode setopt_cptr_proxy(struct Curl_easy *data, CURLoption option,
+ * Setting it to NULL, means no proxy but allows the environment variables
+ * to decide for us (if CURLOPT_SOCKS_PROXY setting it to NULL).
+ */
+- return Curl_setstropt(&s->str[STRING_PROXY], ptr);
++ return setproxy(data, ptr);
+ case CURLOPT_PRE_PROXY:
+ /*
+ * Set proxy server:port to use as SOCKS proxy.
+diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h
+index 3e66c89..20ee51e 100644
+--- a/lib/vauth/vauth.h
++++ b/lib/vauth/vauth.h
+@@ -117,6 +117,7 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
+ /* This is used to clean up the digest specific data */
+ void Curl_auth_digest_cleanup(struct digestdata *digest);
+ #else
++#define Curl_auth_digest_cleanup(x)
+ #define Curl_auth_is_digest_supported() FALSE
+ #endif /* !CURL_DISABLE_DIGEST_AUTH */
+
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index 1b76b01..1e84b26 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -208,7 +208,7 @@ test1548 test1549 test1550 test1551 test1552 test1553 test1554 test1555 \
+ test1556 test1557 test1558 test1559 test1560 test1561 test1562 test1563 \
+ test1564 test1565 test1566 test1567 test1568 test1569 test1570 test1571 \
+ test1572 test1573 test1574 test1575 test1576 test1577 test1578 test1579 \
+-test1580 test1581 test1582 test1583 test1584 test1585 \
++test1580 test1581 test1582 test1583 test1584 test1585 test1588 \
+ \
+ test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 \
+ test1598 test1599 test1600 test1601 test1602 test1603 test1604 test1605 \
+diff --git a/tests/data/test1588 b/tests/data/test1588
+new file mode 100644
+index 0000000..753e98c
+--- /dev/null
++++ b/tests/data/test1588
+@@ -0,0 +1,106 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++HTTP proxy
++HTTP proxy Digest auth
++multi
++</keywords>
++</info>
++
++# Server-side
++<reply>
++
++# this is returned first since we get no proxy-auth
++<data crlf="headers">
++HTTP/1.1 407 Authorization Required to proxy me my dear
++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345"
++Content-Length: 33
++
++And you should ignore this data.
++</data>
++
++# then this is returned when we get proxy-auth
++<data1000 crlf="headers">
++HTTP/1.1 200 OK
++Content-Length: 21
++Server: no
++
++Nice proxy auth sir!
++</data1000>
++
++<datacheck crlf="headers">
++HTTP/1.1 407 Authorization Required to proxy me my dear
++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345"
++Content-Length: 33
++
++HTTP/1.1 200 OK
++Content-Length: 21
++Server: no
++
++Nice proxy auth sir!
++HTTP/1.1 407 Authorization Required to proxy me my dear
++Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345"
++Content-Length: 33
++
++HTTP/1.1 200 OK
++Content-Length: 21
++Server: no
++
++Nice proxy auth sir!
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++# tool is what to use instead of 'curl'
++<tool>
++lib%TESTNUMBER
++</tool>
++<features>
++!SSPI
++crypto
++proxy
++digest
++</features>
++<name>
++HTTP proxy auth Digest, then change proxy and do it again
++</name>
++<command>
++http://test.remote.example.com/path/%TESTNUMBER %HOSTIP %HTTPPORT silly:person custom.set.host.name
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET http://test.remote.example.com/path/1588 HTTP/1.1
++Host: test.remote.example.com
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://test.remote.example.com/path/1588 HTTP/1.1
++Host: test.remote.example.com
++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a"
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://test.remote.example.com/path/1588 HTTP/1.1
++Host: test.remote.example.com
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://test.remote.example.com/path/1588 HTTP/1.1
++Host: test.remote.example.com
++Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="/path/1588", response="d0b2f000c7e3fca24452b5810713404a"
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 2f77c16..96b82bc 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -97,7 +97,7 @@ TESTS_C = \
+ lib1559.c lib1560.c lib1564.c lib1565.c \
+ lib1567.c lib1568.c lib1569.c lib1571.c \
+ lib1576.c \
+- lib1582.c \
++ lib1582.c lib1588.c \
+ lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c \
+ lib1598.c lib1599.c \
+ lib1662.c \
+diff --git a/tests/libtest/lib1588.c b/tests/libtest/lib1588.c
+new file mode 100644
+index 0000000..9b12f36
+--- /dev/null
++++ b/tests/libtest/lib1588.c
+@@ -0,0 +1,150 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++/*
++ * argv1 = URL
++ * argv2 = proxy host
++ * argv3 = proxy port
++ * argv4 = proxyuser:password
++ */
++
++#include "first.h"
++
++static CURLcode init1588(CURL *curl, const char *url,
++ const char *userpwd, const char *proxy)
++{
++ CURLcode result = CURLE_OK;
++
++ res_easy_setopt(curl, CURLOPT_URL, url);
++ if(result)
++ goto init_failed;
++
++ res_easy_setopt(curl, CURLOPT_PROXY, proxy);
++ if(result)
++ goto init_failed;
++
++ res_easy_setopt(curl, CURLOPT_PROXYUSERPWD, userpwd);
++ if(result)
++ goto init_failed;
++
++ res_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST);
++ if(result)
++ goto init_failed;
++
++ res_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
++ if(result)
++ goto init_failed;
++#if 0
++ res_easy_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
++ if(result)
++ goto init_failed;
++#endif
++
++ res_easy_setopt(curl, CURLOPT_HEADER, 1L);
++ if(result)
++ goto init_failed;
++
++ return CURLE_OK; /* success */
++
++init_failed:
++ return result; /* failure */
++}
++
++static CURLcode run1588(CURL *curl, const char *url, const char *userpwd,
++ const char *proxy)
++{
++ CURLcode result = CURLE_OK;
++
++ result = init1588(curl, url, userpwd, proxy);
++ if(result)
++ return result;
++
++ return curl_easy_perform(curl);
++}
++
++static CURLcode test_lib1588(const char *URL)
++{
++ CURLcode result = CURLE_OK;
++ CURL *curl = NULL;
++ const char *proxyuserpws = libtest_arg4;
++ struct curl_slist *host = NULL;
++ struct curl_slist *host2 = NULL;
++ char proxy1_resolve[128];
++ char proxy2_resolve[128];
++ char proxy1_connect[128];
++ char proxy2_connect[128];
++
++ if(test_argc < 3)
++ return TEST_ERR_MAJOR_BAD;
++
++ curl_msnprintf(proxy1_resolve, sizeof(proxy1_resolve),
++ "firstproxy:%s:%s", libtest_arg3, libtest_arg2);
++ curl_msnprintf(proxy2_resolve, sizeof(proxy2_resolve),
++ "secondproxy:%s:%s", libtest_arg3, libtest_arg2);
++
++ /* we connect to the fake host name but the right port number */
++ curl_msnprintf(proxy1_connect, sizeof(proxy1_connect),
++ "firstproxy:%s", libtest_arg3);
++ curl_msnprintf(proxy2_connect, sizeof(proxy2_connect),
++ "secondproxy:%s", libtest_arg3);
++
++ res_global_init(CURL_GLOBAL_ALL);
++ if(result)
++ return result;
++
++ curl = curl_easy_init();
++ if(!curl) {
++ curl_mfprintf(stderr, "curl_easy_init() failed\n");
++ curl_global_cleanup();
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ host = curl_slist_append(NULL, proxy1_resolve);
++ if(!host)
++ goto test_cleanup;
++ host2 = curl_slist_append(host, proxy2_resolve);
++ if(!host2)
++ goto test_cleanup;
++ host = host2;
++
++ start_test_timing();
++
++ easy_setopt(curl, CURLOPT_RESOLVE, host);
++
++ result = run1588(curl, URL, proxyuserpws, proxy1_connect);
++ if(result)
++ goto test_cleanup;
++
++ curl_mfprintf(stderr, "lib1588: now we do the request again\n");
++
++ result = run1588(curl, URL, proxyuserpws, proxy2_connect);
++
++test_cleanup:
++
++ /* proper cleanup sequence - type PB */
++
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++ curl_slist_free_all(host);
++ return result;
++}
+--
+2.43.7
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index 6c31978519..1fb6e4f3be 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
file://CVE-2026-5545.patch \
file://CVE-2026-6253.patch \
file://CVE-2026-6429.patch \
+ file://CVE-2026-7168.patch \
file://mbedtls.patch \
"
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-07-03 8:55 ` Yoann Congal
0 siblings, 0 replies; 8+ messages in thread
From: Yoann Congal @ 2026-07-03 8:55 UTC (permalink / raw)
To: adongare, openembedded-core; +Cc: xe-linux-external
On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> - CVE-2026-5773 affects curl before 8.20.0 when an authenticated SMB connection
> can be reused for a different set of credentials.
> - In wrynose, SMB support is available only through PACKAGECONFIG[smb] and is not
> enabled by default, so record this CVE as configuration-not-applicable for the
> default recipe configuration.
>
> Reference:
> - https://curl.se/docs/CVE-2026-5773.html
> - https://nvd.nist.gov/vuln/detail/CVE-2026-5773
> - https://github.com/openembedded/openembedded-core/blob/wrynose/meta/recipes-support/curl/curl_8.19.0.bb
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
Hello,
Jaipaul Cheernam is working on fixing this CVE:
https://lore.kernel.org/all/20260624075504.63472-1-jaipaul.cheernam@est.tech/
I will hold your patch for now, maybe you can help Jaipaul get their
patch merged? (like testing/review the future v4)
Thanks!
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-07-03 9:38 ` Yoann Congal
0 siblings, 0 replies; 8+ messages in thread
From: Yoann Congal @ 2026-07-03 9:38 UTC (permalink / raw)
To: adongare, openembedded-core; +Cc: xe-linux-external
On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Backport the upstream fix [1] for the netrc credential leak on redirect
> described in [2] and tracked by [3].
>
> [1] https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
> [2] https://curl.se/docs/CVE-2026-6429.html
> [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
> .../curl/curl/CVE-2026-6429.patch | 362 ++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 363 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> new file mode 100644
> index 0000000000..f4398e00f6
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> @@ -0,0 +1,362 @@
> +From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 16 Apr 2026 14:26:20 +0200
> +Subject: [PATCH] http: clear credentials better on redirect
> +
> +Verify with test 2506: netrc with redirect using proxy
> +
> +Updated test 998 which was wrong.
> +
> +Reported-by: Muhamad Arga Reksapati
> +
> +Closes #21345
> +
> +CVE: CVE-2026-6429
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306]
> +
> +Backport Changes:
> +- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin comparison is kept inline in Curl_http_follow().
> +- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement for the wrynose test lists.
> +
> +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + lib/http.c | 121 +++++++++++++++++++------------------
> + tests/data/Makefile.am | 2 +-
> + tests/data/test2506 | 64 ++++++++++++++++++++
> + tests/data/test998 | 1 -
> + tests/libtest/Makefile.inc | 2 +-
> + tests/libtest/lib2506.c | 71 ++++++++++++++++++++++
> + 6 files changed, 198 insertions(+), 63 deletions(-)
> + create mode 100644 tests/data/test2506
> + create mode 100644 tests/libtest/lib2506.c
> +
> +diff --git a/lib/http.c b/lib/http.c
> +index b960d79..9ac96ad 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, const char *newurl,
> + return CURLE_OUT_OF_MEMORY;
> + }
> + else {
> +- uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> +- if(uc)
> +- return Curl_uc_to_curlcode(uc);
> +-
> +- /* Clear auth if this redirects to a different port number or protocol,
> +- unless permitted */
> +- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
> +- int port;
> +- bool clear = FALSE;
> ++ bool same_origin;
> ++ CURLcode result;
> ++ CURLU *u = curl_url();
> ++ char *oldscheme = NULL;
> ++ char *oldhost = NULL;
> ++ char *oldport = NULL;
> ++ char *newscheme = NULL;
> ++ char *newhost = NULL;
> ++ char *newport = NULL;
> ++ if(!u)
> ++ return CURLE_OUT_OF_MEMORY;
> +
> +- if(data->set.use_port && data->state.allow_port)
> +- /* a custom port is used */
> +- port = (int)data->set.use_port;
> +- else {
> +- curl_off_t value;
> +- char *portnum;
> +- const char *p;
> +- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
> +- CURLU_DEFAULT_PORT);
> +- if(uc) {
> +- curlx_free(follow_url);
> +- return Curl_uc_to_curlcode(uc);
> +- }
> +- p = portnum;
> +- curlx_str_number(&p, &value, 0xffff);
> +- port = (int)value;
> +- curlx_free(portnum);
> +- }
> +- if(port != data->info.conn_remote_port) {
> +- infof(data, "Clear auth, redirects to port from %u to %u",
> +- data->info.conn_remote_port, port);
> +- clear = TRUE;
> +- }
> +- else {
> +- char *scheme;
> +- const struct Curl_scheme *p;
> +- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
> +- if(uc) {
> +- curlx_free(follow_url);
> +- return Curl_uc_to_curlcode(uc);
> +- }
> ++ uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
> ++ CURLU_URLENCODE | CURLU_ALLOW_SPACE);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0);
> ++ if(!uc)
> ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport,
> ++ CURLU_DEFAULT_PORT);
> ++ if(uc) {
> ++ curl_url_cleanup(u);
> ++ curlx_free(oldscheme);
> ++ curlx_free(oldhost);
> ++ curlx_free(oldport);
> ++ curlx_free(newscheme);
> ++ curlx_free(newhost);
> ++ curlx_free(newport);
> ++ curlx_free(follow_url);
> ++ return Curl_uc_to_curlcode(uc);
> ++ }
> +
> +- p = Curl_get_scheme(scheme);
> +- if(p && (p->protocol != data->info.conn_protocol)) {
> +- infof(data, "Clear auth, redirects scheme from %s to %s",
> +- data->info.conn_scheme, scheme);
> +- clear = TRUE;
> +- }
> +- curlx_free(scheme);
> +- }
> +- if(clear) {
> +- CURLcode result = Curl_reset_userpwd(data);
> +- if(result) {
> +- curlx_free(follow_url);
> +- return result;
> +- }
> +- Curl_safefree(data->state.aptr.user);
> +- Curl_safefree(data->state.aptr.passwd);
> ++ same_origin = strcasecompare(oldscheme, newscheme) &&
> ++ strcasecompare(oldhost, newhost) &&
> ++ !strcmp(oldport, newport);
That code (which is not in the upstream patch) failed to build on my
machine:
$ bitbake curl-native
| ../../sources/curl-8.19.0/lib/http.c:1245:19: error: implicit declaration of function ‘strcasecompare’; did you mean ‘strcasecmp_l’? [-Wimplicit-function-declaration]
| 1245 | same_origin = strcasecompare(oldscheme, newscheme) &&
| | ^~~~~~~~~~~~~~
| | strcasecmp_l
Can you check please?
Thanks!
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-07-03 9:38 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 8:55 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03 9:38 ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox