* [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
@ 2026-06-23 12:08 Jaipaul Cheernam
2026-06-23 21:24 ` [OE-core] " Yoann Congal
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: Jaipaul Cheernam @ 2026-06-23 12:08 UTC (permalink / raw)
To: openembedded-core; +Cc: Jaipaul Cheernam
Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
connection pooling. Without this, a second SMB request to the same
host reuses a connection authenticated for a different share.
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
---
.../curl/curl/CVE-2026-5773.patch | 44 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
new file mode 100644
index 0000000000..c2984de5ff
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
@@ -0,0 +1,44 @@
+From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 5 Apr 2026 18:23:35 +0200
+Subject: [PATCH] smb: disable connection reuse
+
+Connections should only be reused when using the same "share" (and
+perhaps some additional conditions), but instead of fixing this flaw,
+this change completely disables connection reuse for SMB.
+
+Reported-by: Osama Hamad
+Closes #21238
+
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+
+CVE: CVE-2026-5773
+Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
+
+(cherry picked from commit 74a169575d6412dc0ff532acdf94de35a6c2a571)
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ lib/smb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index ccd4f3f69d..2a9f08388f 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -1242,7 +1242,7 @@
+ #endif
+ CURLPROTO_SMB, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_NONE, /* flags */
+ PORT_SMB, /* defport */
+ };
+
+@@ -1259,7 +1259,7 @@
+ #endif
+ CURLPROTO_SMBS, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_SSL, /* flags */
+ PORT_SMBS, /* defport */
+ };
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..3326f478b5 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5773.patch \
file://mbedtls.patch \
"
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core] [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
@ 2026-06-23 21:24 ` Yoann Congal
2026-06-24 7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
` (2 subsequent siblings)
3 siblings, 0 replies; 8+ messages in thread
From: Yoann Congal @ 2026-06-23 21:24 UTC (permalink / raw)
To: jaipaul.cheernam, openembedded-core
Hello,
On Tue Jun 23, 2026 at 2:08 PM CEST, Jaipaul Cheernam via lists.openembedded.org wrote:
> Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
> connection pooling. Without this, a second SMB request to the same
> host reuses a connection authenticated for a different share.
In the commit message, you should justify why the patch you trying to
merge does indeed fix the CVE. You can use NVD, Debian security tracker
or upstream as easy/natural reference (but other may be accepted). In
this case, all 3 point to your patch so you can choose. You can look at
other CVE fixing patches to get examples.
>
> Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> ---
> .../curl/curl/CVE-2026-5773.patch | 44 +++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 45 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> new file mode 100644
> index 0000000000..c2984de5ff
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> @@ -0,0 +1,44 @@
> +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sun, 5 Apr 2026 18:23:35 +0200
> +Subject: [PATCH] smb: disable connection reuse
> +
> +Connections should only be reused when using the same "share" (and
> +perhaps some additional conditions), but instead of fixing this flaw,
> +this change completely disables connection reuse for SMB.
> +
> +Reported-by: Osama Hamad
> +Closes #21238
> +
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +
> +CVE: CVE-2026-5773
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
> +
> +(cherry picked from commit 74a169575d6412dc0ff532acdf94de35a6c2a571)
^ that "cherry picked" line has no use here. You can remove it.
This patch is a little different from the upstream patch:
* Not the same file patched: please add a note explaining the changes
and why you did them.
* Also, the patch message was edited: we don't usualy do this: If you
need to add info/context keep them in a note section you add to the
patch message. e.g between Upstream-Status and your Signed-off-by.
With that fixed, ht epatch should be good to go, thanks!
> +Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> +---
> + lib/smb.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/smb.c b/lib/smb.c
> +index ccd4f3f69d..2a9f08388f 100644
> +--- a/lib/smb.c
> ++++ b/lib/smb.c
> +@@ -1242,7 +1242,7 @@
> + #endif
> + CURLPROTO_SMB, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_NONE, /* flags */
> + PORT_SMB, /* defport */
> + };
> +
> +@@ -1259,7 +1259,7 @@
> + #endif
> + CURLPROTO_SMBS, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_SSL, /* flags */
> + PORT_SMBS, /* defport */
> + };
> diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
> index d58b774011..3326f478b5 100644
> --- a/meta/recipes-support/curl/curl_8.19.0.bb
> +++ b/meta/recipes-support/curl/curl_8.19.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = " \
> file://disable-tests \
> file://no-test-timeout.patch \
> file://CVE-2026-6276.patch \
> + file://CVE-2026-5773.patch \
> file://mbedtls.patch \
> "
>
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 8+ messages in thread
* [wrynose][PATCH v3] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
2026-06-23 21:24 ` [OE-core] " Yoann Congal
@ 2026-06-24 7:55 ` Jaipaul Cheernam
2026-07-03 8:50 ` [OE-core] " Yoann Congal
2026-07-03 9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
2026-07-06 8:14 ` [wrynose][PATCH v5] " Jaipaul Cheernam
3 siblings, 1 reply; 8+ messages in thread
From: Jaipaul Cheernam @ 2026-06-24 7:55 UTC (permalink / raw)
To: openembedded-core; +Cc: Jaipaul Cheernam
Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
connection pooling. Without this, a second SMB request to the same
host reuses a connection authenticated for a different share.
Reference: https://curl.se/docs/CVE-2026-5773.html
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
---
.../curl/curl/CVE-2026-5773.patch | 48 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
new file mode 100644
index 0000000000..970e04b33f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
@@ -0,0 +1,48 @@
+From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 5 Apr 2026 18:23:35 +0200
+Subject: [PATCH] protocol: disable connection reuse for SMB(S)
+
+Connections should only be reused when using the same "share" (and
+perhaps some additional conditions), but instead of fixing this flaw,
+this change completely disables connection reuse for SMB. This protocol
+is about to get dropped soon anyway.
+
+Reported-by: Osama Hamad
+Closes #21238
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+
+CVE: CVE-2026-5773
+Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
+
+Note: The upstream fix targets lib/protocol.c which was introduced in
+curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
+so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
+identical: SMB connections are no longer pooled for reuse.
+
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ lib/smb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index ccd4f3f69d..2a9f08388f 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -1242,7 +1242,7 @@
+ #endif
+ CURLPROTO_SMB, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_NONE, /* flags */
+ PORT_SMB, /* defport */
+ };
+
+@@ -1259,7 +1259,7 @@
+ #endif
+ CURLPROTO_SMBS, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_SSL, /* flags */
+ PORT_SMBS, /* defport */
+ };
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..3326f478b5 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5773.patch \
file://mbedtls.patch \
"
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core] [wrynose][PATCH v3] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
2026-06-24 7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
@ 2026-07-03 8:50 ` Yoann Congal
0 siblings, 0 replies; 8+ messages in thread
From: Yoann Congal @ 2026-07-03 8:50 UTC (permalink / raw)
To: jaipaul.cheernam, openembedded-core
On Wed Jun 24, 2026 at 9:55 AM CEST, Jaipaul Cheernam via lists.openembedded.org wrote:
> Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
> connection pooling. Without this, a second SMB request to the same
> host reuses a connection authenticated for a different share.
>
> Reference: https://curl.se/docs/CVE-2026-5773.html
>
> Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> ---
> .../curl/curl/CVE-2026-5773.patch | 48 +++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
Hello,
This patch does not apply cleanly on the lastest origin/wrynose:
commit 5d1aa5c806c0 ("build-appliance-image: Update to wrynose head revisions")):
| $ bitbake -cpatch curl
| [...]
| ERROR: curl-8.19.0-r0 do_patch: QA Issue: Fuzz detected:
|
| Applying patch CVE-2026-5773.patch
| patching file lib/smb.c
| Hunk #2 succeeded at 1259 with fuzz 1.
|
|
| The context lines in the patches can be updated with devtool:
|
| devtool modify curl
| devtool finish --force-patch-refresh curl <layer_path>
|
| Don't forget to review changes done by devtool!
|
| Patch log indicates that patches do not apply cleanly. [patch-fuzz]
| ERROR: curl-8.19.0-r0 do_patch: Fatal QA errors were found, failing task.
Can you rebase and send a v4?
Thanks!
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> new file mode 100644
> index 0000000000..970e04b33f
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> @@ -0,0 +1,48 @@
> +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sun, 5 Apr 2026 18:23:35 +0200
> +Subject: [PATCH] protocol: disable connection reuse for SMB(S)
> +
> +Connections should only be reused when using the same "share" (and
> +perhaps some additional conditions), but instead of fixing this flaw,
> +this change completely disables connection reuse for SMB. This protocol
> +is about to get dropped soon anyway.
> +
> +Reported-by: Osama Hamad
> +Closes #21238
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +
> +CVE: CVE-2026-5773
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
> +
> +Note: The upstream fix targets lib/protocol.c which was introduced in
> +curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
> +so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
> +identical: SMB connections are no longer pooled for reuse.
> +
> +Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> +---
> + lib/smb.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/smb.c b/lib/smb.c
> +index ccd4f3f69d..2a9f08388f 100644
> +--- a/lib/smb.c
> ++++ b/lib/smb.c
> +@@ -1242,7 +1242,7 @@
> + #endif
> + CURLPROTO_SMB, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_NONE, /* flags */
> + PORT_SMB, /* defport */
> + };
> +
> +@@ -1259,7 +1259,7 @@
> + #endif
> + CURLPROTO_SMBS, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_SSL, /* flags */
> + PORT_SMBS, /* defport */
> + };
> diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
> index d58b774011..3326f478b5 100644
> --- a/meta/recipes-support/curl/curl_8.19.0.bb
> +++ b/meta/recipes-support/curl/curl_8.19.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = " \
> file://disable-tests \
> file://no-test-timeout.patch \
> file://CVE-2026-6276.patch \
> + file://CVE-2026-5773.patch \
> file://mbedtls.patch \
> "
>
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 8+ messages in thread
* [wrynose][PATCH v4] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
2026-06-23 21:24 ` [OE-core] " Yoann Congal
2026-06-24 7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
@ 2026-07-03 9:25 ` Jaipaul Cheernam
2026-07-05 22:03 ` [OE-core] " Yoann Congal
2026-07-06 8:14 ` [wrynose][PATCH v5] " Jaipaul Cheernam
3 siblings, 1 reply; 8+ messages in thread
From: Jaipaul Cheernam @ 2026-07-03 9:25 UTC (permalink / raw)
To: openembedded-core; +Cc: Jaipaul Cheernam
Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
connection pooling. Without this, a second SMB request to the same
host reuses a connection authenticated for a different share.
Reference: https://curl.se/docs/CVE-2026-5773.html
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
---
Changes v3 -> v4:
- Rebased on latest wrynose (5d1aa5c806c0)
- Refreshed patch context to eliminate fuzz on hunk #2
.../curl/curl/CVE-2026-5773.patch | 48 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
new file mode 100644
index 0000000000..1b60191da8
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
@@ -0,0 +1,48 @@
+From e5c7f93734345260820ca46b29db85f75d277399 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 5 Apr 2026 18:23:35 +0200
+Subject: [PATCH] protocol: disable connection reuse for SMB(S)
+
+Connections should only be reused when using the same "share" (and
+perhaps some additional conditions), but instead of fixing this flaw,
+this change completely disables connection reuse for SMB. This protocol
+is about to get dropped soon anyway.
+
+Reported-by: Osama Hamad
+Closes #21238
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+
+CVE: CVE-2026-5773
+Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
+
+Note: The upstream fix targets lib/protocol.c which was introduced in
+curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
+so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
+identical: SMB connections are no longer pooled for reuse.
+
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ lib/smb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 00297ad..c15fdce 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -1242,7 +1242,7 @@ const struct Curl_scheme Curl_scheme_smb = {
+ #endif
+ CURLPROTO_SMB, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_NONE, /* flags */
+ PORT_SMB, /* defport */
+ };
+
+@@ -1259,6 +1259,6 @@ const struct Curl_scheme Curl_scheme_smbs = {
+ #endif
+ CURLPROTO_SMBS, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_SSL, /* flags */
+ PORT_SMBS, /* defport */
+ };
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..3326f478b5 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5773.patch \
file://mbedtls.patch \
"
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core] [wrynose][PATCH v4] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
2026-07-03 9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
@ 2026-07-05 22:03 ` Yoann Congal
2026-07-06 8:11 ` Jaipaul Cheernam
0 siblings, 1 reply; 8+ messages in thread
From: Yoann Congal @ 2026-07-05 22:03 UTC (permalink / raw)
To: jaipaul.cheernam, openembedded-core
On Fri Jul 3, 2026 at 11:25 AM CEST, Jaipaul Cheernam via lists.openembedded.org wrote:
> Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
> connection pooling. Without this, a second SMB request to the same
> host reuses a connection authenticated for a different share.
>
> Reference: https://curl.se/docs/CVE-2026-5773.html
>
> Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> ---
> Changes v3 -> v4:
> - Rebased on latest wrynose (5d1aa5c806c0)
> - Refreshed patch context to eliminate fuzz on hunk #2
>
> .../curl/curl/CVE-2026-5773.patch | 48 +++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> new file mode 100644
> index 0000000000..1b60191da8
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> @@ -0,0 +1,48 @@
> +From e5c7f93734345260820ca46b29db85f75d277399 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sun, 5 Apr 2026 18:23:35 +0200
> +Subject: [PATCH] protocol: disable connection reuse for SMB(S)
> +
> +Connections should only be reused when using the same "share" (and
> +perhaps some additional conditions), but instead of fixing this flaw,
> +this change completely disables connection reuse for SMB. This protocol
> +is about to get dropped soon anyway.
> +
> +Reported-by: Osama Hamad
> +Closes #21238
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +
> +CVE: CVE-2026-5773
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
Hello,
The referenced upstream patch does not have
"Signed-off-by: Daniel Stenberg <daniel@haxx.se>".
Why did you add it?
Regards,
> +
> +Note: The upstream fix targets lib/protocol.c which was introduced in
> +curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
> +so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
> +identical: SMB connections are no longer pooled for reuse.
> +
> +Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
> +---
> + lib/smb.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/smb.c b/lib/smb.c
> +index 00297ad..c15fdce 100644
> +--- a/lib/smb.c
> ++++ b/lib/smb.c
> +@@ -1242,7 +1242,7 @@ const struct Curl_scheme Curl_scheme_smb = {
> + #endif
> + CURLPROTO_SMB, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_NONE, /* flags */
> + PORT_SMB, /* defport */
> + };
> +
> +@@ -1259,6 +1259,6 @@ const struct Curl_scheme Curl_scheme_smbs = {
> + #endif
> + CURLPROTO_SMBS, /* protocol */
> + CURLPROTO_SMB, /* family */
> +- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
> ++ PROTOPT_SSL, /* flags */
> + PORT_SMBS, /* defport */
> + };
> diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
> index d58b774011..3326f478b5 100644
> --- a/meta/recipes-support/curl/curl_8.19.0.bb
> +++ b/meta/recipes-support/curl/curl_8.19.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = " \
> file://disable-tests \
> file://no-test-timeout.patch \
> file://CVE-2026-6276.patch \
> + file://CVE-2026-5773.patch \
> file://mbedtls.patch \
> "
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [wrynose][PATCH v4] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
2026-07-05 22:03 ` [OE-core] " Yoann Congal
@ 2026-07-06 8:11 ` Jaipaul Cheernam
0 siblings, 0 replies; 8+ messages in thread
From: Jaipaul Cheernam @ 2026-07-06 8:11 UTC (permalink / raw)
To: Yoann Congal, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 465 bytes --]
Hi Yoann,
You're right, the upstream commit doesn't have a Signed-off-by. I
mistakenly added it. Removed in v5 and will send v3 for scarthgap also.
Regards,
Jaipaul
On 2026-07-06 00:03, Yoann Congal wrote:
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
> Hello,
>
> The referenced upstream patch does not have
> "Signed-off-by: Daniel Stenberg<daniel@haxx.se>".
> Why did you add it?
>
> Regards,
[-- Attachment #2: Type: text/html, Size: 1276 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [wrynose][PATCH v5] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
` (2 preceding siblings ...)
2026-07-03 9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
@ 2026-07-06 8:14 ` Jaipaul Cheernam
3 siblings, 0 replies; 8+ messages in thread
From: Jaipaul Cheernam @ 2026-07-06 8:14 UTC (permalink / raw)
To: openembedded-core; +Cc: Jaipaul Cheernam
Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
connection pooling. Without this, a second SMB request to the same
host reuses a connection authenticated for a different share.
Reference: https://curl.se/docs/CVE-2026-5773.html
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
---
Changes v4 -> v5:
- Removed incorrect Signed-off-by from Daniel (upstream commit has none)
Changes v3 -> v4:
- Rebased on latest wrynose (5d1aa5c806c0)
- Refreshed patch context to eliminate fuzz on hunk #2
.../curl/curl/CVE-2026-5773.patch | 47 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
new file mode 100644
index 0000000000..a997371242
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
@@ -0,0 +1,47 @@
+From e5c7f93734345260820ca46b29db85f75d277399 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 5 Apr 2026 18:23:35 +0200
+Subject: [PATCH] protocol: disable connection reuse for SMB(S)
+
+Connections should only be reused when using the same "share" (and
+perhaps some additional conditions), but instead of fixing this flaw,
+this change completely disables connection reuse for SMB. This protocol
+is about to get dropped soon anyway.
+
+Reported-by: Osama Hamad
+Closes #21238
+
+CVE: CVE-2026-5773
+Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
+
+Note: The upstream fix targets lib/protocol.c which was introduced in
+curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
+so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
+identical: SMB connections are no longer pooled for reuse.
+
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ lib/smb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 00297ad..c15fdce 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -1242,7 +1242,7 @@ const struct Curl_scheme Curl_scheme_smb = {
+ #endif
+ CURLPROTO_SMB, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_NONE, /* flags */
+ PORT_SMB, /* defport */
+ };
+
+@@ -1259,6 +1259,6 @@ const struct Curl_scheme Curl_scheme_smbs = {
+ #endif
+ CURLPROTO_SMBS, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_SSL, /* flags */
+ PORT_SMBS, /* defport */
+ };
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..3326f478b5 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5773.patch \
file://mbedtls.patch \
"
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-07-06 8:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-23 12:08 [wrynose][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Jaipaul Cheernam
2026-06-23 21:24 ` [OE-core] " Yoann Congal
2026-06-24 7:55 ` [wrynose][PATCH v3] " Jaipaul Cheernam
2026-07-03 8:50 ` [OE-core] " Yoann Congal
2026-07-03 9:25 ` [wrynose][PATCH v4] " Jaipaul Cheernam
2026-07-05 22:03 ` [OE-core] " Yoann Congal
2026-07-06 8:11 ` Jaipaul Cheernam
2026-07-06 8:14 ` [wrynose][PATCH v5] " Jaipaul Cheernam
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox