mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

curl: fix CVE-2025-9086

Browse Source 
1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086

Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6

(From OE-Core rev: 95ab3c3e3745e7e0ca74760683e42ae7531b4199)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Yogita Urade
2025-09-24 13:56:55 +05:30
committed by Steve Sakoman
parent cb23f1e136
commit 96c7bfd679
2 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-support/curl/curl/CVE-2025-9086.patch
+55
View File
@@ -0,0 +1,55 @@
From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 Aug 2025 20:23:05 +0200
Subject: [PATCH] cookie: don't treat the leading slash as trailing
If there is only a leading slash in the path, keep that. Also add an
assert to make sure the path is never blank.
Reported-by: Google Big Sleep
Closes #18266
CVE: CVE-2025-9086
Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
lib/cookie.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index 9819768..d7ee757 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -324,7 +324,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
}
/* convert /hoge/ to /hoge */
- if(len && new_path[len - 1] == '/') {
+ if(len > 1 && new_path[len - 1] == '/') {
new_path[len - 1] = 0x0;
}
@@ -1039,7 +1039,7 @@ replace_existing(struct Curl_easy *data,
clist->spath && co->spath && /* both have paths */
clist->secure && !co->secure && !secure) {
size_t cllen;
- const char *sep;
+ const char *sep = NULL;
/*
* A non-secure cookie may not overlay an existing secure cookie.
@@ -1048,8 +1048,9 @@ replace_existing(struct Curl_easy *data,
* "/loginhelper" is ok.
*/
- sep = strchr(clist->spath + 1, '/');
-
+ DEBUGASSERT(clist->spath[0]);
+ if(clist->spath[0])
+ sep = strchr(clist->spath + 1, '/');
if(sep)
cllen = sep - clist->spath;
else
--
2.40.0
meta/recipes-support/curl/curl_8.12.1.bb
+1
View File
@@ -14,6 +14,7 @@ SRC_URI = " \
file://run-ptest \ file://run-ptest \
file://disable-tests \ file://disable-tests \
file://no-test-timeout.patch \ file://no-test-timeout.patch \
file://CVE-2025-9086.patch \
" "
SRC_URI:append:class-nativesdk = " \ SRC_URI:append:class-nativesdk = " \