From: Peter Marko <[email protected]> Pick patches from [1].
[1] https://curl.se/docs/CVE-2026-1965.html Signed-off-by: Peter Marko <[email protected]> --- .../curl/curl/CVE-2026-1965-01.patch | 138 ++++++++++++++++++ .../curl/curl/CVE-2026-1965-02.patch | 29 ++++ meta/recipes-support/curl/curl_8.17.0.bb | 2 + 3 files changed, 169 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-01.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-02.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch new file mode 100644 index 0000000000..dbfbfd7e63 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch @@ -0,0 +1,138 @@ +From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Thu, 5 Feb 2026 08:34:21 +0100 +Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate + +Assume Negotiate means connection-based + +Reported-by: Zhicheng Chen +Closes #20534 + +CVE: CVE-2026-1965 +Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12] +Signed-off-by: Peter Marko <[email protected]> +--- + lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 82 insertions(+), 5 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index fac8cea732..cfe398de8b 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -792,6 +792,8 @@ struct url_conn_match { + BIT(may_multiplex); + BIT(want_ntlm_http); + BIT(want_proxy_ntlm_http); ++ BIT(want_nego_http); ++ BIT(want_proxy_nego_http); + + BIT(wait_pipe); + BIT(force_reuse); +@@ -1215,6 +1217,63 @@ static bool url_match_auth_ntlm(struct connectdata *conn, + #define url_match_auth_ntlm(c,m) ((void)c, (void)m, TRUE) + #endif + ++#ifdef USE_SPNEGO ++static bool url_match_auth_nego(struct connectdata *conn, ++ struct url_conn_match *m) ++{ ++ /* If we are looking for an HTTP+Negotiate connection, check if this is ++ already authenticating with the right credentials. If not, keep looking ++ so that we can reuse Negotiate connections if possible. */ ++ if(m->want_nego_http) { ++ if(Curl_timestrcmp(m->needle->user, conn->user) || ++ Curl_timestrcmp(m->needle->passwd, conn->passwd)) ++ return FALSE; ++ } ++ else if(conn->http_negotiate_state != GSS_AUTHNONE) { ++ /* Connection is using Negotiate auth but we do not want Negotiate */ ++ return FALSE; ++ } ++ ++#ifndef CURL_DISABLE_PROXY ++ /* Same for Proxy Negotiate authentication */ ++ if(m->want_proxy_nego_http) { ++ /* Both conn->http_proxy.user and conn->http_proxy.passwd can be ++ * NULL */ ++ if(!conn->http_proxy.user || !conn->http_proxy.passwd) ++ return FALSE; ++ ++ if(Curl_timestrcmp(m->needle->http_proxy.user, ++ conn->http_proxy.user) || ++ Curl_timestrcmp(m->needle->http_proxy.passwd, ++ conn->http_proxy.passwd)) ++ return FALSE; ++ } ++ else if(conn->proxy_negotiate_state != GSS_AUTHNONE) { ++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */ ++ return FALSE; ++ } ++#endif ++ if(m->want_ntlm_http || m->want_proxy_ntlm_http) { ++ /* Credentials are already checked, we may use this connection. We MUST ++ * use a connection where it has already been fully negotiated. If it has ++ * not, we keep on looking for a better one. */ ++ m->found = conn; ++ if((m->want_nego_http && ++ (conn->http_negotiate_state != GSS_AUTHNONE)) || ++ (m->want_proxy_nego_http && ++ (conn->proxy_negotiate_state != GSS_AUTHNONE))) { ++ /* We must use this connection, no other */ ++ m->force_reuse = TRUE; ++ return TRUE; ++ } ++ return FALSE; /* get another */ ++ } ++ return TRUE; ++} ++#else ++#define url_match_auth_nego(c, m) ((void)c, (void)m, TRUE) ++#endif ++ + static bool url_match_conn(struct connectdata *conn, void *userdata) + { + struct url_conn_match *m = userdata; +@@ -1258,6 +1317,11 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) + else if(m->force_reuse) + return TRUE; + ++ if(!url_match_auth_nego(conn, m)) ++ return FALSE; ++ else if(m->force_reuse) ++ return TRUE; ++ + if(!url_match_multiplex_limits(conn, m)) + return FALSE; + +@@ -1324,13 +1388,26 @@ ConnectionExists(struct Curl_easy *data, + match.may_multiplex = xfer_may_multiplex(data, needle); + + #ifdef USE_NTLM +- match.want_ntlm_http = ((data->state.authhost.want & CURLAUTH_NTLM) && +- (needle->handler->protocol & PROTO_FAMILY_HTTP)); ++ match.want_ntlm_http = ++ (data->state.authhost.want & CURLAUTH_NTLM) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP); + #ifndef CURL_DISABLE_PROXY + match.want_proxy_ntlm_http = +- (needle->bits.proxy_user_passwd && +- (data->state.authproxy.want & CURLAUTH_NTLM) && +- (needle->handler->protocol & PROTO_FAMILY_HTTP)); ++ needle->bits.proxy_user_passwd && ++ (data->state.authproxy.want & CURLAUTH_NTLM) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP); ++#endif ++#endif ++ ++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) ++ match.want_nego_http = ++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) && ++ (needle->scheme->protocol & PROTO_FAMILY_HTTP); ++#ifndef CURL_DISABLE_PROXY ++ match.want_proxy_nego_http = ++ needle->bits.proxy_user_passwd && ++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) && ++ (needle->scheme->protocol & PROTO_FAMILY_HTTP); + #endif + #endif + diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch new file mode 100644 index 0000000000..e945b83b24 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch @@ -0,0 +1,29 @@ +From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Sat, 21 Feb 2026 18:11:41 +0100 +Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake + +Follow-up to 34fa034 +Reported-by: dahmono on github +Closes #20662 + +CVE: CVE-2026-1965 +Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70] +Signed-off-by: Peter Marko <[email protected]> +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index c879a85e92..8b42aebade 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1253,7 +1253,7 @@ static bool url_match_auth_nego(struct connectdata *conn, + return FALSE; + } + #endif +- if(m->want_ntlm_http || m->want_proxy_ntlm_http) { ++ if(m->want_nego_http || m->want_proxy_nego_http) { + /* Credentials are already checked, we may use this connection. We MUST + * use a connection where it has already been fully negotiated. If it has + * not, we keep on looking for a better one. */ diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index 739838c3e8..06f4353134 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -20,6 +20,8 @@ SRC_URI = " \ file://CVE-2025-14819.patch \ file://CVE-2025-15079.patch \ file://CVE-2025-15224.patch \ + file://CVE-2026-1965-01.patch \ + file://CVE-2026-1965-02.patch \ " SRC_URI:append:class-nativesdk = " \
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233007): https://lists.openembedded.org/g/openembedded-core/message/233007 Mute This Topic: https://lists.openembedded.org/mt/118288865/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
