On Fri Mar 20, 2026 at 8:56 AM CET, Vijay Anusuri via lists.openembedded.org wrote: > From: Vijay Anusuri <[email protected]> > > import patch from ubuntu to fix > CVE-2026-3784 > > Upstream-Status: Backport [import from ubuntu > curl_7.81.0-1ubuntu1.23.debian.tar.xz > Upstream commit https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] > > Reference: https://curl.se/docs/CVE-2026-3784.html > https://ubuntu.com/security/CVE-2026-3784 > > Signed-off-by: Vijay Anusuri <[email protected]> > --- > .../curl/curl/CVE-2026-3784.patch | 74 +++++++++++++++++++ > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > 2 files changed, 75 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch > b/meta/recipes-support/curl/curl/CVE-2026-3784.patch > new file mode 100644 > index 0000000000..8f3d56bab9 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch > @@ -0,0 +1,74 @@ > +Backport of: > + > +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 > +From: Stefan Eissing <[email protected]> > +Date: Fri, 6 Mar 2026 14:54:09 +0100 > +Subject: [PATCH] proxy-auth: additional tests > + > +Also eliminate the special handling for socks proxy match. > + > +Closes #20837 > + > +Upstream-Status: Backport [import from ubuntu > curl_7.81.0-1ubuntu1.23.debian.tar.xz > +Upstream commit https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] > +CVE: CVE-2026-3784 > +Signed-off-by: Vijay Anusuri <[email protected]> > +--- > + lib/url.c | 28 +++++++--------------------- > + tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++ > + tests/http/testenv/curl.py | 18 +++++++++++++++--- > + 3 files changed, 42 insertions(+), 24 deletions(-) > + > +--- a/lib/url.c > ++++ b/lib/url.c > +@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in > + { > + if((data->proxytype == needle->proxytype) && > + (data->port == needle->port) && > +- Curl_safe_strcasecompare(data->host.name, needle->host.name)) > +- return TRUE; > ++ curl_strequal(data->host.name, needle->host.name)) { > + > ++ if(Curl_timestrcmp(data->user, needle->user) || > ++ Curl_timestrcmp(data->passwd, needle->passwd)) > ++ return FALSE; > ++ return TRUE; > ++ } > + return FALSE; > + } > +- > +-static bool > +-socks_proxy_info_matches(const struct proxy_info *data, > +- const struct proxy_info *needle) > +-{ > +- if(!proxy_info_matches(data, needle)) > +- return FALSE; > +- > +- /* the user information is case-sensitive > +- or at least it is not defined as case-insensitive > +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ > +- > +- /* curl_strequal does a case insentive comparison, so do not use it here! > */ > +- if(Curl_timestrcmp(data->user, needle->user) || > +- Curl_timestrcmp(data->passwd, needle->passwd)) > +- return FALSE; > +- return TRUE; > +-} > +-#else > +-/* disabled, won't get called */ > +-#define proxy_info_matches(x,y) FALSE > +-#define socks_proxy_info_matches(x,y) FALSE > + #endif > + > + /* A connection has to have been idle for a shorter time than 'maxage_conn' > +@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data, > + continue; > + > + if(needle->bits.socksproxy && > +- !socks_proxy_info_matches(&needle->socks_proxy, > +- &check->socks_proxy)) > ++ !proxy_info_matches(&needle->socks_proxy, > ++ &check->socks_proxy)) > + continue; > + #endif > + if(needle->bits.conn_to_host != check->bits.conn_to_host) > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb > b/meta/recipes-support/curl/curl_7.82.0.bb > index 8fdd954c7e..c33183e096 100644 > --- a/meta/recipes-support/curl/curl_7.82.0.bb > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > @@ -74,6 +74,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > file://CVE-2026-1965-1.patch \ > file://CVE-2026-1965-2.patch \ > file://CVE-2026-3783.patch \ > + file://CVE-2026-3784.patch \ > " > SRC_URI[sha256sum] = > "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > Hi Vijay,
This my general feedback on the whole curl patch series. I noticed quite big differences between the upstream commits you cited and the ones actually provided in this series. If these backports are from Ubuntu or Debian, please include the direct links to those commits as well. Additionally, your backport for CVE-2025-14524 ([PATCH 1/4]) differs from the one by Amaury Couderc, which has already been merged into scarthgap. Maybe it would be simplier to cherry-picked it ? One last detail regarding formatting: the last four patches include a 'Backport of' prefix in the patch header. While not strictly forbidden, this is unusual and adds unnecessary noise. Could you please remove these headers next time? Thanks. Regards, -- Fabien Thomas Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233612): https://lists.openembedded.org/g/openembedded-core/message/233612 Mute This Topic: https://lists.openembedded.org/mt/118414027/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
