From: Peter Marko <[email protected]> Pick patch from [1]. Additionally pick part of clenup patch which resolves conflicts.
[1] https://curl.se/docs/CVE-2026-3784.html Signed-off-by: Peter Marko <[email protected]> --- ...d-macros-warnings-and-related-tidy-u.patch | 44 +++++ .../curl/curl/CVE-2026-3784-02.patch | 162 ++++++++++++++++++ meta/recipes-support/curl/curl_8.17.0.bb | 2 + 3 files changed, 208 insertions(+) create mode 100644 meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784-02.patch diff --git a/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch b/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch new file mode 100644 index 0000000000..b4af8421f5 --- /dev/null +++ b/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch @@ -0,0 +1,44 @@ +From 5fa5cb382560316a55f0954f1e8cebdbd6568cfb Mon Sep 17 00:00:00 2001 +From: Viktor Szakats <[email protected]> +Date: Fri, 13 Feb 2026 17:05:36 +0100 +Subject: [PATCH] build: fix `-Wunused-macros` warnings, and related tidy-ups + +- fix internal macro `AN_APPLE_OS` reused between sources without + resetting it. It may potentially have left the system sha256 + function unused. +- fix to define `WOLFSSL_OPTIONS_IGNORE_SYS` so that it always applies + to wolfSSL headers, also during feature detection. +- md4, md5, sha256: simplify fallback logic. +- delete 20+ unused macros. +- scope or move macros to avoid `-Wunused-macros` warnings. +- examples: delete unused code. + +The warning detects macros defined but not used within the same C +source. It does not warn for macros defined in headers. It also works +with unity builds, but to a lesser extent. + +Closes #20593 + +<picked only part relevant for CVE-2026-3784> + +Upstream-Status: Backport [https://github.com/curl/curl/commit/5fa5cb382560316a55f0954f1e8cebdbd6568cfb] +Signed-off-by: Peter Marko <[email protected]> +--- + lib/url.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 3c0d913432..f0b6b0d5b2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -639,10 +639,6 @@ socks_proxy_info_matches(const struct proxy_info *data, + return FALSE; + return TRUE; + } +-#else +-/* disabled, will not get called */ +-#define proxy_info_matches(x,y) FALSE +-#define socks_proxy_info_matches(x,y) FALSE + #endif + + /* A connection has to have been idle for less than 'conn_max_idle_ms' diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch b/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch new file mode 100644 index 0000000000..84f37374c6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch @@ -0,0 +1,162 @@ +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <[email protected]> +Date: Fri, 6 Mar 2026 14:54:09 +0100 +Subject: [PATCH] proxy-auth: additional tests + +Also eliminate the special handling for socks proxy match. + +Closes #20837 + +CVE: CVE-2026-3784 +Upstream-Status: Backport [https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364] +Signed-off-by: Peter Marko <[email protected]> +--- + lib/url.c | 29 +++++++---------------------- + tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++ + tests/http/testenv/curl.py | 18 +++++++++++++++--- + 3 files changed, 42 insertions(+), 25 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index eabeb776ab..bdc183b45b 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -615,30 +615,15 @@ proxy_info_matches(const struct proxy_info *data, + { + if((data->proxytype == needle->proxytype) && + (data->port == needle->port) && +- curl_strequal(data->host.name, needle->host.name)) ++ curl_strequal(data->host.name, needle->host.name)) { ++ ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) ++ return FALSE; + return TRUE; +- ++ } + return FALSE; + } +- +-static bool +-socks_proxy_info_matches(const struct proxy_info *data, +- const struct proxy_info *needle) +-{ +- if(!proxy_info_matches(data, needle)) +- return FALSE; +- +- /* the user information is case-sensitive +- or at least it is not defined as case-insensitive +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ +- +- /* curl_strequal does a case insensitive comparison, +- so do not use it here! */ +- if(Curl_timestrcmp(data->user, needle->user) || +- Curl_timestrcmp(data->passwd, needle->passwd)) +- return FALSE; +- return TRUE; +-} + #endif + + /* A connection has to have been idle for less than 'conn_max_idle_ms' +@@ -954,7 +939,7 @@ static bool url_match_proxy_use(struct connectdata *conn, + return FALSE; + + if(m->needle->bits.socksproxy && +- !socks_proxy_info_matches(&m->needle->socks_proxy, ++ !proxy_info_matches(&m->needle->socks_proxy, + &conn->socks_proxy)) + return FALSE; + +diff --git a/tests/http/test_13_proxy_auth.py b/tests/http/test_13_proxy_auth.py +index 080adef187..33fb211e99 100644 +--- a/tests/http/test_13_proxy_auth.py ++++ b/tests/http/test_13_proxy_auth.py +@@ -169,3 +169,23 @@ class TestProxyAuth: + '--negotiate', '--proxy-user', 'proxy:proxy' + ]) + r1.check_response(count=1, http_status=200) ++ ++ def test_13_10_tunnels_mixed_auth(self, env: Env, httpd, configures_httpd): ++ self.httpd_configure(env, httpd) ++ curl = CurlClient(env=env) ++ url1 = f'http://localhost:{env.http_port}/data.json?1' ++ url2 = f'http://localhost:{env.http_port}/data.json?2' ++ url3 = f'http://localhost:{env.http_port}/data.json?3' ++ xargs1 = curl.get_proxy_args(proxys=False, tunnel=True) ++ xargs1.extend(['--proxy-user', 'proxy:proxy']) # good auth ++ xargs2 = curl.get_proxy_args(proxys=False, tunnel=True) ++ xargs2.extend(['--proxy-user', 'ungood:ungood']) # bad auth ++ xargs3 = curl.get_proxy_args(proxys=False, tunnel=True) ++ # no auth ++ r = curl.http_download(urls=[url1, url2, url3], alpn_proto='http/1.1', with_stats=True, ++ url_options={url1: xargs1, url2: xargs2, url3: xargs3}) ++ # only url1 succeeds, others fail, no connection reuse ++ assert r.stats[0]['http_code'] == 200, f'{r.dump_logs()}' ++ assert r.stats[1]['http_code'] == 0, f'{r.dump_logs()}' ++ assert r.stats[2]['http_code'] == 0, f'{r.dump_logs()}' ++ assert r.total_connects == 3, f'{r.dump_logs()}' +diff --git a/tests/http/testenv/curl.py b/tests/http/testenv/curl.py +index 4fc11c7923..1f812a1c2e 100644 +--- a/tests/http/testenv/curl.py ++++ b/tests/http/testenv/curl.py +@@ -635,7 +635,8 @@ class CurlClient: + with_tcpdump: bool = False, + no_save: bool = False, + limit_rate: Optional[str] = None, +- extra_args: Optional[List[str]] = None): ++ extra_args: Optional[List[str]] = None, ++ url_options: Optional[Dict[str,List[str]]] = None): + if extra_args is None: + extra_args = [] + if no_save: +@@ -653,6 +654,7 @@ class CurlClient: + ]) + return self._raw(urls, alpn_proto=alpn_proto, options=extra_args, + with_stats=with_stats, ++ url_options=url_options, + with_headers=with_headers, + with_profile=with_profile, + with_tcpdump=with_tcpdump) +@@ -929,6 +931,7 @@ class CurlClient: + + def _raw(self, urls, intext='', timeout=None, options=None, insecure=False, + alpn_proto: Optional[str] = None, ++ url_options=None, + force_resolve=True, + with_stats=False, + with_headers=True, +@@ -938,7 +941,8 @@ class CurlClient: + args = self._complete_args( + urls=urls, timeout=timeout, options=options, insecure=insecure, + alpn_proto=alpn_proto, force_resolve=force_resolve, +- with_headers=with_headers, def_tracing=def_tracing) ++ with_headers=with_headers, def_tracing=def_tracing, ++ url_options=url_options) + r = self._run(args, intext=intext, with_stats=with_stats, + with_profile=with_profile, with_tcpdump=with_tcpdump) + if r.exit_code == 0 and with_headers: +@@ -948,8 +952,10 @@ class CurlClient: + def _complete_args(self, urls, timeout=None, options=None, + insecure=False, force_resolve=True, + alpn_proto: Optional[str] = None, ++ url_options=None, + with_headers: bool = True, + def_tracing: bool = True): ++ url_sep = [] + if not isinstance(urls, list): + urls = [urls] + +@@ -975,7 +981,13 @@ class CurlClient: + active_options = options[options.index('--next') + 1:] + + for url in urls: +- u = urlparse(urls[0]) ++ args.extend(url_sep) ++ if url_options is not None: ++ url_sep = ['--next'] ++ ++ u = urlparse(url) ++ if url_options is not None and url in url_options: ++ args.extend(url_options[url]) + if options: + args.extend(options) + if alpn_proto is not None: diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index 31d34c5390..7211c43afd 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -23,6 +23,8 @@ SRC_URI = " \ file://CVE-2026-1965-01.patch \ file://CVE-2026-1965-02.patch \ file://CVE-2026-3783.patch \ + file://0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch \ + file://CVE-2026-3784-02.patch \ " SRC_URI:append:class-nativesdk = " \
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233010): https://lists.openembedded.org/g/openembedded-core/message/233010 Mute This Topic: https://lists.openembedded.org/mt/118288868/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
