On Tue Jun 2, 2026 at 4:06 PM CEST, Adarsh Jagadish Kamini via
lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <[email protected]>
>
> Backport patch to fix CVE-2026-6276.
> https://nvd.nist.gov/vuln/detail/CVE-2026-6276
>
> Upstream fix:
> https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db
>
> Adapted for curl 8.19.0:
> - Use Curl_safefree (upstream uses curlx_safefree, renamed in later versions)
> - Drop req->userpwd/req->proxyuserpwd context (not yet moved to
> SingleRequest in this version)
>
> Tested with ptest:
> Before: PASSED: 1000, FAILED: 0, SKIPPED: 0
> After: PASSED: 1001, FAILED: 0, SKIPPED: 0
>
> Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
> ---
> .../curl/curl/CVE-2026-6276.patch | 315 ++++++++++++++++++
> meta/recipes-support/curl/curl_8.19.0.bb | 1 +
> 2 files changed, 316 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6276.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-6276.patch
> b/meta/recipes-support/curl/curl/CVE-2026-6276.patch
> new file mode 100644
> index 0000000000..68bec24e94
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-6276.patch
> @@ -0,0 +1,315 @@
> +From 48d71bc976572aaf09c63ab86b5165762450a507 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <[email protected]>
> +Date: Tue, 14 Apr 2026 08:51:44 +0200
> +Subject: [PATCH] urldata: move cookiehost to struct SingleRequest
> +
> +To make it scoped for the single request appropriately.
> +
> +Reported-by: Muhamad Arga Reksapati
> +
> +Verify with libtest 2504: a custom Host *disabled* on reused handle
> +
> +Closes #21312
> +
> +CVE: CVE-2026-6276
> +Upstream-Status: Backport
> [https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db]
> +
> +Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
> +---
> + lib/http.c | 14 +++---
> + lib/request.c | 3 ++
> + lib/request.h | 3 ++
> + lib/url.c | 2 +-
> + lib/urldata.h | 3 --
> + tests/data/Makefile.am | 2 +-
> + tests/data/test2504 | 52 +++++++++++++++++++++
> + tests/libtest/Makefile.inc | 2 +-
> + tests/libtest/lib2504.c | 93 ++++++++++++++++++++++++++++++++++++++
> + 9 files changed, 162 insertions(+), 12 deletions(-)
> + create mode 100644 tests/data/test2504
> + create mode 100644 tests/libtest/lib2504.c
> +
> +diff --git a/lib/http.c b/lib/http.c
> +index 188da5fd83..7ebbdfa551 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -2002,6 +2002,9 @@ static CURLcode http_set_aptr_host(struct Curl_easy
> *data)
> + data->state.first_remote_protocol = conn->scheme->protocol;
> + }
> + Curl_safefree(aptr->host);
> ++#ifndef CURL_DISABLE_COOKIES
> ++ Curl_safefree(data->req.cookiehost);
> ++#endif
> +
> + ptr = Curl_checkheaders(data, STRCONST("Host"));
> + if(ptr && (!data->state.this_is_a_follow ||
> +@@ -2037,8 +2040,7 @@ static CURLcode http_set_aptr_host(struct Curl_easy
> *data)
> + if(colon)
> + *colon = 0; /* The host must not include an embedded port number
> */
> + }
> +- curlx_free(aptr->cookiehost);
> +- aptr->cookiehost = cookiehost;
> ++ data->req.cookiehost = cookiehost;
> + }
> + #endif
> +
> +@@ -2538,8 +2540,8 @@ static CURLcode http_cookies(struct Curl_easy *data,
> +
> + if(data->cookies && data->state.cookie_engine) {
> + bool okay;
> +- const char *host = data->state.aptr.cookiehost ?
> +- data->state.aptr.cookiehost : data->conn->host.name;
> ++ const char *host = data->req.cookiehost ?
> ++ data->req.cookiehost : data->conn->host.name;
> + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
> + result = Curl_cookie_getlist(data, data->conn, &okay, host, &list);
> + if(!result && okay) {
> +@@ -3545,8 +3547,8 @@ static CURLcode http_header_s(struct Curl_easy *data,
> + if(v) {
> + /* If there is a custom-set Host: name, use it here, or else use
> + * real peer hostname. */
> +- const char *host = data->state.aptr.cookiehost ?
> +- data->state.aptr.cookiehost : conn->host.name;
> ++ const char *host = data->req.cookiehost ?
> ++ data->req.cookiehost : conn->host.name;
> + const bool secure_context = Curl_secure_context(conn, host);
> + CURLcode result;
> + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
> +diff --git a/lib/request.c b/lib/request.c
> +index 66077530d7..765dbac058 100644
> +--- a/lib/request.c
> ++++ b/lib/request.c
> +@@ -113,6 +113,9 @@ void Curl_req_hard_reset(struct SingleRequest *req,
> struct Curl_easy *data)
> + struct curltime t0 = { 0, 0 };
> +
> + Curl_safefree(req->newurl);
> ++#ifndef CURL_DISABLE_COOKIES
> ++ Curl_safefree(req->cookiehost);
> ++#endif
> + Curl_client_reset(data);
> + if(req->sendbuf_init)
> + Curl_bufq_reset(&req->sendbuf);
> +diff --git a/lib/request.h b/lib/request.h
> +index 5332d48538..6e4bd0fb6e 100644
> +--- a/lib/request.h
> ++++ b/lib/request.h
> +@@ -95,6 +95,9 @@ struct SingleRequest {
> + char *newurl; /* Set to the new URL to use when a redirect or a retry
> is
> + wanted */
> +
> ++#ifndef CURL_DISABLE_COOKIES
> ++ char *cookiehost;
> ++#endif
> + #ifndef CURL_DISABLE_COOKIES
> + unsigned char setcookies;
> + #endif
> +diff --git a/lib/url.c b/lib/url.c
> +index ec0457bcdd..b9e308add2 100644
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -304,7 +304,7 @@ CURLcode Curl_close(struct Curl_easy **datap)
> + Curl_safefree(data->state.aptr.ref);
> + Curl_safefree(data->state.aptr.host);
> + #ifndef CURL_DISABLE_COOKIES
> +- Curl_safefree(data->state.aptr.cookiehost);
> ++ Curl_safefree(data->req.cookiehost);
> + #endif
> + #ifndef CURL_DISABLE_RTSP
> + Curl_safefree(data->state.aptr.rtsp_transport);
> +diff --git a/lib/urldata.h b/lib/urldata.h
> +index 5ae148054b..d71337c8f6 100644
> +--- a/lib/urldata.h
> ++++ b/lib/urldata.h
> +@@ -1052,9 +1052,6 @@ struct UrlState {
> + char *rangeline;
> + char *ref;
> + char *host;
> +-#ifndef CURL_DISABLE_COOKIES
> +- char *cookiehost;
> +-#endif
> + #ifndef CURL_DISABLE_RTSP
> + char *rtsp_transport;
> + #endif
> +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
> +index 53abf60901..da0f8f55d4 100644
> +--- a/tests/data/Makefile.am
> ++++ b/tests/data/Makefile.am
> +@@ -264,7 +264,7 @@ test2309 \
> + \
> + test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 \
> + \
> +-test2500 test2501 test2502 test2503 \
> ++test2500 test2501 test2502 test2503 test2504 \
> + \
> + test2600 test2601 test2602 test2603 test2604 test2605 \
> + \
> +diff --git a/tests/data/test2504 b/tests/data/test2504
> +new file mode 100644
> +index 0000000000..8cec1c8210
> +--- /dev/null
> ++++ b/tests/data/test2504
> +@@ -0,0 +1,52 @@
> ++<?xml version="1.0" encoding="US-ASCII"?>
> ++<testcase>
> ++<info>
> ++<keywords>
> ++HTTP
> ++cookies
> ++</keywords>
> ++</info>
> ++
> ++# Server-side
> ++<reply>
> ++<data crlf="headers" nocheck="yes">
> ++HTTP/1.1 200 OK
> ++Date: Tue, 09 Nov 2010 14:49:00 GMT
> ++Server: server.example.com
> ++Content-Length: 47
> ++Set-Cookie: sid=SECRET123; Path=/
> ++
> ++file contents should appear once for each file
> ++</data>
> ++</reply>
> ++
> ++# Client-side
> ++<client>
> ++<server>
> ++http
> ++</server>
> ++<tool>
> ++lib%TESTNUMBER
> ++</tool>
> ++<name>
> ++custom Host with cookie, handle reuse, no custom Host:
> ++</name>
> ++<command>
> ++http://%HOSTIP:%HTTPPORT
> ++</command>
> ++</client>
> ++
> ++# Verify data after the test has been "shot"
> ++<verify>
> ++<protocol crlf="headers">
> ++GET / HTTP/1.1
> ++Host: victim.internal
> ++Accept: */*
> ++
> ++GET / HTTP/1.1
> ++Host: %HOSTIP:%HTTPPORT
> ++Accept: */*
> ++
> ++</protocol>
> ++</verify>
> ++</testcase>
> +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
> +index e3202804a9..2319bafe72 100644
> +--- a/tests/libtest/Makefile.inc
> ++++ b/tests/libtest/Makefile.inc
> +@@ -113,7 +113,7 @@ TESTS_C = \
> + lib2023.c lib2032.c lib2082.c \
> + lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c \
> + lib2402.c lib2404.c lib2405.c \
> +- lib2502.c \
> ++ lib2502.c lib2504.c \
> + lib2700.c \
> + lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c \
> + lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c \
> +diff --git a/tests/libtest/lib2504.c b/tests/libtest/lib2504.c
> +new file mode 100644
> +index 0000000000..72b965d6e6
> +--- /dev/null
> ++++ b/tests/libtest/lib2504.c
> +@@ -0,0 +1,93 @@
> ++/***************************************************************************
> ++ * _ _ ____ _
> ++ * Project ___| | | | _ \| |
> ++ * / __| | | | |_) | |
> ++ * | (__| |_| | _ <| |___
> ++ * \___|\___/|_| \_\_____|
> ++ *
> ++ * Copyright (C) Linus Nielsen Feltzing <[email protected]>
> ++ *
> ++ * This software is licensed as described in the file COPYING, which
> ++ * you should have received as part of this distribution. The terms
> ++ * are also available at https://curl.se/docs/copyright.html.
> ++ *
> ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
> ++ * copies of the Software, and permit persons to whom the Software is
> ++ * furnished to do so, under the terms of the COPYING file.
> ++ *
> ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
> ++ * KIND, either express or implied.
> ++ *
> ++ * SPDX-License-Identifier: curl
> ++ *
> ++
> ***************************************************************************/
> ++#include "first.h"
> ++
> ++#include "testtrace.h"
> ++
> ++static size_t sink2504(char *ptr, size_t size, size_t nmemb, void *ud)
> ++{
> ++ (void)ptr;
> ++ (void)ud;
> ++ return size * nmemb;
> ++}
> ++
> ++static void dump_cookies2504(CURL *h, const char *tag)
> ++{
> ++ struct curl_slist *cookies = NULL;
> ++ struct curl_slist *nc;
> ++ CURLcode rc = curl_easy_getinfo(h, CURLINFO_COOKIELIST, &cookies);
> ++
> ++ curl_mprintf("== %s ==\n", tag);
> ++ if(rc) {
> ++ curl_mprintf("getinfo error: %d\n", (int)rc);
> ++ return;
> ++ }
> ++ for(nc = cookies; nc; nc = nc->next)
> ++ puts(nc->data);
> ++ curl_slist_free_all(cookies);
> ++}
> ++
> ++static CURLcode test_lib2504(const char *URL)
> ++{
> ++ CURL *curl;
> ++ CURLcode result = CURLE_OUT_OF_MEMORY;
> ++ struct curl_slist *hdrs = NULL;
> ++
> ++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
> ++ curl_mfprintf(stderr, "curl_global_init() failed\n");
> ++ return TEST_ERR_MAJOR_BAD;
> ++ }
> ++
> ++ curl = curl_easy_init();
> ++ if(!curl) {
> ++ curl_mfprintf(stderr, "curl_easy_init() failed\n");
> ++ curl_global_cleanup();
> ++ return TEST_ERR_MAJOR_BAD;
> ++ }
> ++
> ++ hdrs = curl_slist_append(hdrs, "Host: victim.internal");
> ++ if(hdrs) {
> ++ test_setopt(curl, CURLOPT_WRITEFUNCTION, sink2504);
> ++ test_setopt(curl, CURLOPT_COOKIEFILE, "");
> ++ test_setopt(curl, CURLOPT_HTTPHEADER, hdrs);
> ++ test_setopt(curl, CURLOPT_URL, URL);
> ++
> ++ result = curl_easy_perform(curl);
> ++ curl_mprintf("req1=%d\n", (int)result);
> ++ dump_cookies2504(curl, "after request 1");
> ++
> ++ test_setopt(curl, CURLOPT_HTTPHEADER, NULL);
> ++ test_setopt(curl, CURLOPT_URL, URL);
> ++
> ++ result = curl_easy_perform(curl);
> ++ curl_mprintf("req2=%d\n", (int)result);
> ++ dump_cookies2504(curl, "after request 2");
> ++ }
> ++test_cleanup:
> ++ curl_slist_free_all(hdrs);
> ++ curl_easy_cleanup(curl);
> ++ curl_global_cleanup();
> ++
> ++ return result;
> ++}
> diff --git a/meta/recipes-support/curl/curl_8.19.0.bb
> b/meta/recipes-support/curl/curl_8.19.0.bb
> index b9251336b8..9bbbb5e36f 100644
> --- a/meta/recipes-support/curl/curl_8.19.0.bb
> +++ b/meta/recipes-support/curl/curl_8.19.0.bb
> @@ -161,6 +161,7 @@ RDEPENDS:${PN}-ptest += " \
> perl-module-memoize \
> perl-module-storable \
> perl-module-time-hires \
> + file://CVE-2026-6276.patch \
This should be in SRC_URI, not in RDEPENDS. Did you try to build this
patch?
Regards,
> "
>
> PACKAGES =+ "lib${BPN}"
--
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#238244):
https://lists.openembedded.org/g/openembedded-core/message/238244
Mute This Topic: https://lists.openembedded.org/mt/119612762/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
