From: Adarsh Jagadish Kamini <[email protected]> Backport patch to fix CVE-2026-6276. https://nvd.nist.gov/vuln/detail/CVE-2026-6276
The upstream fix moves cookiehost from the connection-scoped aptr struct to the per-request SingleRequest struct, preventing cookie data from leaking across reused handles. Adapted for curl 8.7.1: - Use Curl_safefree (renamed to curlx_safefree in later versions) - Use conn->host.name (changed to data->conn->host.name upstream) - Keep existing header parsing structure (refactored upstream) Upstream fix: https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db Tested with ptest: Before: PASSED: 857, FAILED: 0, SKIPPED: 0 After: PASSED: 857, FAILED: 0, SKIPPED: 0 Signed-off-by: Adarsh Jagadish Kamini <[email protected]> --- .../curl/curl/CVE-2026-6276.patch | 129 ++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 130 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6276.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-6276.patch b/meta/recipes-support/curl/curl/CVE-2026-6276.patch new file mode 100644 index 0000000000..495d5e5dea --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-6276.patch @@ -0,0 +1,129 @@ +From ee81b4f4b2f8e7d1a49c92d8a470294ef7088045 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Tue, 14 Apr 2026 08:51:44 +0200 +Subject: [PATCH] urldata: move cookiehost to struct SingleRequest + +To make it scoped for the single request appropriately. + +Reported-by: Muhamad Arga Reksapati + +Verify with libtest 2504: a custom Host *disabled* on reused handle + +Closes #21312 + +CVE: CVE-2026-6276 +Upstream-Status: Backport [https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db] + +Signed-off-by: Adarsh Jagadish Kamini <[email protected]> +--- + lib/http.c | 16 ++++++++++------ + lib/request.c | 3 +++ + lib/request.h | 3 +++ + lib/url.c | 4 +++- + lib/urldata.h | 1 - + 5 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index b80bebf..b1f6040 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1747,7 +1747,11 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + data->state.first_remote_port = conn->remote_port; + data->state.first_remote_protocol = conn->handler->protocol; + } ++ + Curl_safefree(aptr->host); ++#ifndef CURL_DISABLE_COOKIES ++ Curl_safefree(data->req.cookiehost); ++#endif + + ptr = Curl_checkheaders(data, STRCONST("Host")); + if(ptr && (!data->state.this_is_a_follow || +@@ -1782,8 +1786,8 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + if(colon) + *colon = 0; /* The host must not include an embedded port number */ + } +- Curl_safefree(aptr->cookiehost); +- aptr->cookiehost = cookiehost; ++ Curl_safefree(data->req.cookiehost); ++ data->req.cookiehost = cookiehost; + } + #endif + +@@ -2302,8 +2306,8 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + int count = 0; + + if(data->cookies && data->state.cookie_engine) { +- const char *host = data->state.aptr.cookiehost ? +- data->state.aptr.cookiehost : conn->host.name; ++ const char *host = data->req.cookiehost ? ++ data->req.cookiehost : conn->host.name; + const bool secure_context = + conn->handler->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS) || + strcasecompare("localhost", host) || +@@ -3121,8 +3125,8 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + if(v) { + /* If there is a custom-set Host: name, use it here, or else use + * real peer host name. */ +- const char *host = data->state.aptr.cookiehost? +- data->state.aptr.cookiehost:conn->host.name; ++ const char *host = data->req.cookiehost? ++ data->req.cookiehost:conn->host.name; + const bool secure_context = + conn->handler->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS) || + strcasecompare("localhost", host) || +diff --git a/lib/request.c b/lib/request.c +index b3b0582..9bede2e 100644 +--- a/lib/request.c ++++ b/lib/request.c +@@ -111,6 +111,9 @@ void Curl_req_hard_reset(struct SingleRequest *req, struct Curl_easy *data) + * free this safely without leaks. */ + Curl_safefree(req->p.http); + Curl_safefree(req->newurl); ++#ifndef CURL_DISABLE_COOKIES ++ Curl_safefree(req->cookiehost); ++#endif + Curl_client_reset(data); + if(req->sendbuf_init) + Curl_bufq_reset(&req->sendbuf); +diff --git a/lib/request.h b/lib/request.h +index 488fbdd..17d50a3 100644 +--- a/lib/request.h ++++ b/lib/request.h +@@ -118,6 +118,9 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++#ifndef CURL_DISABLE_COOKIES ++ char *cookiehost; ++#endif + #ifndef CURL_DISABLE_COOKIES + unsigned char setcookies; + #endif +diff --git a/lib/url.c b/lib/url.c +index 76360c8..30f215f 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -313,7 +313,9 @@ CURLcode Curl_close(struct Curl_easy **datap) + Curl_safefree(data->state.aptr.rangeline); + Curl_safefree(data->state.aptr.ref); + Curl_safefree(data->state.aptr.host); +- Curl_safefree(data->state.aptr.cookiehost); ++#ifndef CURL_DISABLE_COOKIES ++ Curl_safefree(data->req.cookiehost); ++#endif + Curl_safefree(data->state.aptr.rtsp_transport); + Curl_safefree(data->state.aptr.user); + Curl_safefree(data->state.aptr.passwd); +diff --git a/lib/urldata.h b/lib/urldata.h +index b68d023..4fc595a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1339,7 +1339,6 @@ struct UrlState { + char *rangeline; + char *ref; + char *host; +- char *cookiehost; + char *rtsp_transport; + char *te; /* TE: request header */ + diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 14d63d6373..4c2f0b4c5a 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -36,6 +36,7 @@ SRC_URI = " \ file://CVE-2026-1965-2.patch \ file://CVE-2026-3783.patch \ file://CVE-2026-3784.patch \ + file://CVE-2026-6276.patch \ " SRC_URI:append:class-nativesdk = " \ -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237831): https://lists.openembedded.org/g/openembedded-core/message/237831 Mute This Topic: https://lists.openembedded.org/mt/119590594/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
