On Tue Jun 23, 2026 at 9:48 AM CEST, Jaipaul Cheernam via lists.openembedded.org wrote: > libcurl's SMB handler marks connections for reuse (connkeep) without > verifying that subsequent requests target the same share. This allows > a second SMB request to the same host to reuse a connection > authenticated for a different share, potentially accessing data > without proper authorization. > > The upstream fix removes connection reuse for SMB entirely in > lib/protocol.c, a file introduced in curl 8.20.0. For 8.7.1, the > equivalent fix is changing connkeep() to connclose() in lib/smb.c, > which prevents the connection from being returned to the pool. > > Tested with SMBv1 server (Docker dperson/samba): > Without patch: "Re-using existing connection" for different shares > With patch: New connection per request, no reuse > > Binary verified: Curl_conncontrol arg changes from 0 (KEEP) to 1 (CLOSE) > > Reference: https://curl.se/docs/CVE-2026-5773.html > > Signed-off-by: Jaipaul Cheernam <[email protected]> > ---
Hello, The backported commit is in curl 8.20 but wrynose is only in 8.19. Can you check if the fix is needed for wrynose (and send it there if that is the case)? Thanks! > .../curl/curl/CVE-2026-5773.patch | 30 +++++++++++++++++++ > meta/recipes-support/curl/curl_8.7.1.bb | 1 + > 2 files changed, 31 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch > b/meta/recipes-support/curl/curl/CVE-2026-5773.patch > new file mode 100644 > index 0000000000..a62b389d62 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch > @@ -0,0 +1,30 @@ > +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <[email protected]> > +Date: Sun, 5 Apr 2026 18:23:35 +0200 > +Subject: [PATCH] smb: disable connection reuse > + > +Signed-off-by: Daniel Stenberg <[email protected]> > + > +CVE: CVE-2026-5773 > +Upstream-Status: Backport > [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571] > + > +(cherry picked from commit 74a169575d6412dc0ff532acdf94de35a6c2a571) > +Signed-off-by: Jaipaul Cheernam <[email protected]> > +--- > + lib/smb.c | 3 +-- > + 1 file changed, 1 insertion(+), 2 deletions(-) > + > +diff --git a/lib/smb.c b/lib/smb.c > +index 7c73cbcec..a1f5c9b31 100644 > +--- a/lib/smb.c > ++++ b/lib/smb.c > +@@ -461,8 +461,7 @@ static CURLcode smb_connect(struct Curl_easy *data, bool > *done) > + if(!smbc->send_buf) > + return CURLE_OUT_OF_MEMORY; > + > +- /* Multiple requests are allowed with this connection */ > +- connkeep(conn, "SMB default"); > ++ connclose(conn, "SMB default"); > + > + /* Parse the username, domain, and password */ > + slash = strchr(conn->user, '/'); > diff --git a/meta/recipes-support/curl/curl_8.7.1.bb > b/meta/recipes-support/curl/curl_8.7.1.bb > index 14d63d6373..d026731751 100644 > --- a/meta/recipes-support/curl/curl_8.7.1.bb > +++ b/meta/recipes-support/curl/curl_8.7.1.bb > @@ -36,6 +36,7 @@ SRC_URI = " \ > file://CVE-2026-1965-2.patch \ > file://CVE-2026-3783.patch \ > file://CVE-2026-3784.patch \ > + file://CVE-2026-5773.patch \ > " > > SRC_URI:append:class-nativesdk = " \ -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239339): https://lists.openembedded.org/g/openembedded-core/message/239339 Mute This Topic: https://lists.openembedded.org/mt/119937542/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
