mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

curl: patch CVE-2026-1965

Browse Source 
pick patches from ubuntu per [1]

[1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
[2] https://ubuntu.com/security/CVE-2026-1965
[3] https://curl.se/docs/CVE-2026-1965.html

(From OE-Core rev: adb8a05ef19faf76c7c4a3ea68600aa443861a95)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Vijay Anusuri
2026-03-21 15:17:21 +05:30
committed by Paul Barker
parent f6d2fd38dc
commit 33fab72fa7
3 changed files with 129 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
+98
View File
@@ -0,0 +1,98 @@
From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 5 Feb 2026 08:34:21 +0100
Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
Assume Negotiate means connection-based
Reported-by: Zhicheng Chen
Closes #20534
Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd6]
Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
CVE: CVE-2026-1965
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 82 insertions(+), 5 deletions(-)
--- a/lib/url.c
+++ b/lib/url.c
@@ -1145,6 +1145,18 @@ ConnectionExists(struct Curl_easy *data,
#endif
#endif
+#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
+ bool wantNegohttp =
+ (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
+ (needle->handler->protocol & PROTO_FAMILY_HTTP);
+#ifndef CURL_DISABLE_PROXY
+ bool wantProxyNegohttp =
+ needle->bits.proxy_user_passwd &&
+ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
+ (needle->handler->protocol & PROTO_FAMILY_HTTP);
+#endif
+#endif
+
*force_reuse = FALSE;
*waitpipe = FALSE;
@@ -1496,6 +1508,57 @@ ConnectionExists(struct Curl_easy *data,
continue;
}
#endif
+
+#ifdef USE_SPNEGO
+ /* If we are looking for an HTTP+Negotiate connection, check if this is
+ already authenticating with the right credentials. If not, keep looking
+ so that we can reuse Negotiate connections if possible. */
+ if(wantNegohttp) {
+ if(Curl_timestrcmp(needle->user, check->user) ||
+ Curl_timestrcmp(needle->passwd, check->passwd))
+ continue;
+ }
+ else if(check->http_negotiate_state != GSS_AUTHNONE) {
+ /* Connection is using Negotiate auth but we do not want Negotiate */
+ continue;
+ }
+
+#ifndef CURL_DISABLE_PROXY
+ /* Same for Proxy Negotiate authentication */
+ if(wantProxyNegohttp) {
+ /* Both check->http_proxy.user and check->http_proxy.passwd can be
+ * NULL */
+ if(!check->http_proxy.user || !check->http_proxy.passwd)
+ continue;
+
+ if(Curl_timestrcmp(needle->http_proxy.user,
+ check->http_proxy.user) ||
+ Curl_timestrcmp(needle->http_proxy.passwd,
+ check->http_proxy.passwd))
+ continue;
+ }
+ else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
+ /* Proxy connection is using Negotiate auth but we do not want Negotiate */
+ continue;
+ }
+#endif
+ if(wantNTLMhttp || wantProxyNTLMhttp) {
+ /* Credentials are already checked, we may use this connection. We MUST
+ * use a connection where it has already been fully negotiated. If it has
+ * not, we keep on looking for a better one. */
+ chosen = check;
+ if((wantNegohttp &&
+ (check->http_negotiate_state != GSS_AUTHNONE)) ||
+ (wantProxyNegohttp &&
+ (check->proxy_negotiate_state != GSS_AUTHNONE))) {
+ /* We must use this connection, no other */
+ *force_reuse = TRUE;
+ break;
+ }
+ continue; /* get another */
+ }
+#endif
+
if(canmultiplex) {
/* We can multiplex if we want to. Let's continue looking for
the optimal connection to use. */
meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
+29
View File
@@ -0,0 +1,29 @@
From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 21 Feb 2026 18:11:41 +0100
Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
Follow-up to 34fa034
Reported-by: dahmono on github
Closes #20662
Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990]
Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
CVE: CVE-2026-1965
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
lib/url.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/url.c
+++ b/lib/url.c
@@ -1542,7 +1542,7 @@ ConnectionExists(struct Curl_easy *data,
continue;
}
#endif
- if(wantNTLMhttp || wantProxyNTLMhttp) {
+ if(wantNegohttp || wantProxyNegohttp) {
/* Credentials are already checked, we may use this connection. We MUST
* use a connection where it has already been fully negotiated. If it has
* not, we keep on looking for a better one. */
meta/recipes-support/curl/curl_7.82.0.bb
+2
View File
@@ -71,6 +71,8 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2025-15079.patch \ file://CVE-2025-15079.patch \
file://CVE-2025-15224.patch \ file://CVE-2025-15224.patch \
file://CVE-2025-14524.patch \ file://CVE-2025-14524.patch \
file://CVE-2026-1965-1.patch \
file://CVE-2026-1965-2.patch \
" "
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"