Hi, Thanks for pointing out. I built another version of patch, and with minor changes, I misplaced the patch file in the recipe. Will fix it in v2.
Thanks! ________________________________ From: Yoann Congal <[email protected]> Sent: Monday, June 8, 2026 16:06 To: Adarsh Jagadish Kamini <[email protected]>; [email protected] <[email protected]> Subject: Re: [OE-core][wrynose][PATCH] curl: fix CVE-2026-6276 On Tue Jun 2, 2026 at 4:06 PM CEST, Adarsh Jagadish Kamini via lists.openembedded.org wrote: > From: Adarsh Jagadish Kamini <[email protected]> > > Backport patch to fix CVE-2026-6276. > https://nvd.nist.gov/vuln/detail/CVE-2026-6276 > > Upstream fix: > https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db > > Adapted for curl 8.19.0: > - Use Curl_safefree (upstream uses curlx_safefree, renamed in later versions) > - Drop req->userpwd/req->proxyuserpwd context (not yet moved to > SingleRequest in this version) > > Tested with ptest: > Before: PASSED: 1000, FAILED: 0, SKIPPED: 0 > After: PASSED: 1001, FAILED: 0, SKIPPED: 0 > > Signed-off-by: Adarsh Jagadish Kamini <[email protected]> > --- > .../curl/curl/CVE-2026-6276.patch | 315 ++++++++++++++++++ > meta/recipes-support/curl/curl_8.19.0.bb | 1 + > 2 files changed, 316 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6276.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-6276.patch > b/meta/recipes-support/curl/curl/CVE-2026-6276.patch > new file mode 100644 > index 0000000000..68bec24e94 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2026-6276.patch > @@ -0,0 +1,315 @@ > +From 48d71bc976572aaf09c63ab86b5165762450a507 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <[email protected]> > +Date: Tue, 14 Apr 2026 08:51:44 +0200 > +Subject: [PATCH] urldata: move cookiehost to struct SingleRequest > + > +To make it scoped for the single request appropriately. > + > +Reported-by: Muhamad Arga Reksapati > + > +Verify with libtest 2504: a custom Host *disabled* on reused handle > + > +Closes #21312 > + > +CVE: CVE-2026-6276 > +Upstream-Status: Backport > [https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db] > + > +Signed-off-by: Adarsh Jagadish Kamini <[email protected]> > +--- > + lib/http.c | 14 +++--- > + lib/request.c | 3 ++ > + lib/request.h | 3 ++ > + lib/url.c | 2 +- > + lib/urldata.h | 3 -- > + tests/data/Makefile.am | 2 +- > + tests/data/test2504 | 52 +++++++++++++++++++++ > + tests/libtest/Makefile.inc | 2 +- > + tests/libtest/lib2504.c | 93 ++++++++++++++++++++++++++++++++++++++ > + 9 files changed, 162 insertions(+), 12 deletions(-) > + create mode 100644 tests/data/test2504 > + create mode 100644 tests/libtest/lib2504.c > + > +diff --git a/lib/http.c b/lib/http.c > +index 188da5fd83..7ebbdfa551 100644 > +--- a/lib/http.c > ++++ b/lib/http.c > +@@ -2002,6 +2002,9 @@ static CURLcode http_set_aptr_host(struct Curl_easy > *data) > + data->state.first_remote_protocol = conn->scheme->protocol; > + } > + Curl_safefree(aptr->host); > ++#ifndef CURL_DISABLE_COOKIES > ++ Curl_safefree(data->req.cookiehost); > ++#endif > + > + ptr = Curl_checkheaders(data, STRCONST("Host")); > + if(ptr && (!data->state.this_is_a_follow || > +@@ -2037,8 +2040,7 @@ static CURLcode http_set_aptr_host(struct Curl_easy > *data) > + if(colon) > + *colon = 0; /* The host must not include an embedded port number > */ > + } > +- curlx_free(aptr->cookiehost); > +- aptr->cookiehost = cookiehost; > ++ data->req.cookiehost = cookiehost; > + } > + #endif > + > +@@ -2538,8 +2540,8 @@ static CURLcode http_cookies(struct Curl_easy *data, > + > + if(data->cookies && data->state.cookie_engine) { > + bool okay; > +- const char *host = data->state.aptr.cookiehost ? > +- data->state.aptr.cookiehost : data->conn->host.name; > ++ const char *host = data->req.cookiehost ? > ++ data->req.cookiehost : data->conn->host.name; > + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); > + result = Curl_cookie_getlist(data, data->conn, &okay, host, &list); > + if(!result && okay) { > +@@ -3545,8 +3547,8 @@ static CURLcode http_header_s(struct Curl_easy *data, > + if(v) { > + /* If there is a custom-set Host: name, use it here, or else use > + * real peer hostname. */ > +- const char *host = data->state.aptr.cookiehost ? > +- data->state.aptr.cookiehost : conn->host.name; > ++ const char *host = data->req.cookiehost ? > ++ data->req.cookiehost : conn->host.name; > + const bool secure_context = Curl_secure_context(conn, host); > + CURLcode result; > + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); > +diff --git a/lib/request.c b/lib/request.c > +index 66077530d7..765dbac058 100644 > +--- a/lib/request.c > ++++ b/lib/request.c > +@@ -113,6 +113,9 @@ void Curl_req_hard_reset(struct SingleRequest *req, > struct Curl_easy *data) > + struct curltime t0 = { 0, 0 }; > + > + Curl_safefree(req->newurl); > ++#ifndef CURL_DISABLE_COOKIES > ++ Curl_safefree(req->cookiehost); > ++#endif > + Curl_client_reset(data); > + if(req->sendbuf_init) > + Curl_bufq_reset(&req->sendbuf); > +diff --git a/lib/request.h b/lib/request.h > +index 5332d48538..6e4bd0fb6e 100644 > +--- a/lib/request.h > ++++ b/lib/request.h > +@@ -95,6 +95,9 @@ struct SingleRequest { > + char *newurl; /* Set to the new URL to use when a redirect or a retry > is > + wanted */ > + > ++#ifndef CURL_DISABLE_COOKIES > ++ char *cookiehost; > ++#endif > + #ifndef CURL_DISABLE_COOKIES > + unsigned char setcookies; > + #endif > +diff --git a/lib/url.c b/lib/url.c > +index ec0457bcdd..b9e308add2 100644 > +--- a/lib/url.c > ++++ b/lib/url.c > +@@ -304,7 +304,7 @@ CURLcode Curl_close(struct Curl_easy **datap) > + Curl_safefree(data->state.aptr.ref); > + Curl_safefree(data->state.aptr.host); > + #ifndef CURL_DISABLE_COOKIES > +- Curl_safefree(data->state.aptr.cookiehost); > ++ Curl_safefree(data->req.cookiehost); > + #endif > + #ifndef CURL_DISABLE_RTSP > + Curl_safefree(data->state.aptr.rtsp_transport); > +diff --git a/lib/urldata.h b/lib/urldata.h > +index 5ae148054b..d71337c8f6 100644 > +--- a/lib/urldata.h > ++++ b/lib/urldata.h > +@@ -1052,9 +1052,6 @@ struct UrlState { > + char *rangeline; > + char *ref; > + char *host; > +-#ifndef CURL_DISABLE_COOKIES > +- char *cookiehost; > +-#endif > + #ifndef CURL_DISABLE_RTSP > + char *rtsp_transport; > + #endif > +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am > +index 53abf60901..da0f8f55d4 100644 > +--- a/tests/data/Makefile.am > ++++ b/tests/data/Makefile.am > +@@ -264,7 +264,7 @@ test2309 \ > + \ > + test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 \ > + \ > +-test2500 test2501 test2502 test2503 \ > ++test2500 test2501 test2502 test2503 test2504 \ > + \ > + test2600 test2601 test2602 test2603 test2604 test2605 \ > + \ > +diff --git a/tests/data/test2504 b/tests/data/test2504 > +new file mode 100644 > +index 0000000000..8cec1c8210 > +--- /dev/null > ++++ b/tests/data/test2504 > +@@ -0,0 +1,52 @@ > ++<?xml version="1.0" encoding="US-ASCII"?> > ++<testcase> > ++<info> > ++<keywords> > ++HTTP > ++cookies > ++</keywords> > ++</info> > ++ > ++# Server-side > ++<reply> > ++<data crlf="headers" nocheck="yes"> > ++HTTP/1.1 200 OK > ++Date: Tue, 09 Nov 2010 14:49:00 GMT > ++Server: server.example.com > ++Content-Length: 47 > ++Set-Cookie: sid=SECRET123; Path=/ > ++ > ++file contents should appear once for each file > ++</data> > ++</reply> > ++ > ++# Client-side > ++<client> > ++<server> > ++http > ++</server> > ++<tool> > ++lib%TESTNUMBER > ++</tool> > ++<name> > ++custom Host with cookie, handle reuse, no custom Host: > ++</name> > ++<command> > ++http://%HOSTIP:%HTTPPORT > ++</command> > ++</client> > ++ > ++# Verify data after the test has been "shot" > ++<verify> > ++<protocol crlf="headers"> > ++GET / HTTP/1.1 > ++Host: victim.internal > ++Accept: */* > ++ > ++GET / HTTP/1.1 > ++Host: %HOSTIP:%HTTPPORT > ++Accept: */* > ++ > ++</protocol> > ++</verify> > ++</testcase> > +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc > +index e3202804a9..2319bafe72 100644 > +--- a/tests/libtest/Makefile.inc > ++++ b/tests/libtest/Makefile.inc > +@@ -113,7 +113,7 @@ TESTS_C = \ > + lib2023.c lib2032.c lib2082.c \ > + lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c \ > + lib2402.c lib2404.c lib2405.c \ > +- lib2502.c \ > ++ lib2502.c lib2504.c \ > + lib2700.c \ > + lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c \ > + lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c \ > +diff --git a/tests/libtest/lib2504.c b/tests/libtest/lib2504.c > +new file mode 100644 > +index 0000000000..72b965d6e6 > +--- /dev/null > ++++ b/tests/libtest/lib2504.c > +@@ -0,0 +1,93 @@ > ++/*************************************************************************** > ++ * _ _ ____ _ > ++ * Project ___| | | | _ \| | > ++ * / __| | | | |_) | | > ++ * | (__| |_| | _ <| |___ > ++ * \___|\___/|_| \_\_____| > ++ * > ++ * Copyright (C) Linus Nielsen Feltzing <[email protected]> > ++ * > ++ * This software is licensed as described in the file COPYING, which > ++ * you should have received as part of this distribution. The terms > ++ * are also available at https://curl.se/docs/copyright.html. > ++ * > ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell > ++ * copies of the Software, and permit persons to whom the Software is > ++ * furnished to do so, under the terms of the COPYING file. > ++ * > ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY > ++ * KIND, either express or implied. > ++ * > ++ * SPDX-License-Identifier: curl > ++ * > ++ > ***************************************************************************/ > ++#include "first.h" > ++ > ++#include "testtrace.h" > ++ > ++static size_t sink2504(char *ptr, size_t size, size_t nmemb, void *ud) > ++{ > ++ (void)ptr; > ++ (void)ud; > ++ return size * nmemb; > ++} > ++ > ++static void dump_cookies2504(CURL *h, const char *tag) > ++{ > ++ struct curl_slist *cookies = NULL; > ++ struct curl_slist *nc; > ++ CURLcode rc = curl_easy_getinfo(h, CURLINFO_COOKIELIST, &cookies); > ++ > ++ curl_mprintf("== %s ==\n", tag); > ++ if(rc) { > ++ curl_mprintf("getinfo error: %d\n", (int)rc); > ++ return; > ++ } > ++ for(nc = cookies; nc; nc = nc->next) > ++ puts(nc->data); > ++ curl_slist_free_all(cookies); > ++} > ++ > ++static CURLcode test_lib2504(const char *URL) > ++{ > ++ CURL *curl; > ++ CURLcode result = CURLE_OUT_OF_MEMORY; > ++ struct curl_slist *hdrs = NULL; > ++ > ++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { > ++ curl_mfprintf(stderr, "curl_global_init() failed\n"); > ++ return TEST_ERR_MAJOR_BAD; > ++ } > ++ > ++ curl = curl_easy_init(); > ++ if(!curl) { > ++ curl_mfprintf(stderr, "curl_easy_init() failed\n"); > ++ curl_global_cleanup(); > ++ return TEST_ERR_MAJOR_BAD; > ++ } > ++ > ++ hdrs = curl_slist_append(hdrs, "Host: victim.internal"); > ++ if(hdrs) { > ++ test_setopt(curl, CURLOPT_WRITEFUNCTION, sink2504); > ++ test_setopt(curl, CURLOPT_COOKIEFILE, ""); > ++ test_setopt(curl, CURLOPT_HTTPHEADER, hdrs); > ++ test_setopt(curl, CURLOPT_URL, URL); > ++ > ++ result = curl_easy_perform(curl); > ++ curl_mprintf("req1=%d\n", (int)result); > ++ dump_cookies2504(curl, "after request 1"); > ++ > ++ test_setopt(curl, CURLOPT_HTTPHEADER, NULL); > ++ test_setopt(curl, CURLOPT_URL, URL); > ++ > ++ result = curl_easy_perform(curl); > ++ curl_mprintf("req2=%d\n", (int)result); > ++ dump_cookies2504(curl, "after request 2"); > ++ } > ++test_cleanup: > ++ curl_slist_free_all(hdrs); > ++ curl_easy_cleanup(curl); > ++ curl_global_cleanup(); > ++ > ++ return result; > ++} > diff --git a/meta/recipes-support/curl/curl_8.19.0.bb > b/meta/recipes-support/curl/curl_8.19.0.bb > index b9251336b8..9bbbb5e36f 100644 > --- a/meta/recipes-support/curl/curl_8.19.0.bb > +++ b/meta/recipes-support/curl/curl_8.19.0.bb > @@ -161,6 +161,7 @@ RDEPENDS:${PN}-ptest += " \ > perl-module-memoize \ > perl-module-storable \ > perl-module-time-hires \ > + file://CVE-2026-6276.patch \ This should be in SRC_URI, not in RDEPENDS. Did you try to build this patch? Regards, > " > > PACKAGES =+ "lib${BPN}" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238266): https://lists.openembedded.org/g/openembedded-core/message/238266 Mute This Topic: https://lists.openembedded.org/mt/119612762/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
