On Tue Jun 23, 2026 at 11:15 AM CEST, Jaipaul Cheernam wrote: > Hi Yoann, > > I am thinking about curl uplift from 8.19.0 to 8.20.0 in wrynose which will > fix below CVEs as well. > > Let me know if you have any comment on uplift ? > > 8.20.0 is a security release fixing 7 CVEs [1]: > > * CVE-2026-5773: wrong reuse of SMB connection > * CVE-2026-5545: wrong reuse of HTTP Negotiate connection > * CVE-2026-6253: proxy credentials leak over redirect-to proxy > * CVE-2026-6276: UPLOAD_BUFFERSIZE buffer overflow > * CVE-2026-4873: connection reuse ignores TLS requirement > * CVE-2026-7168: cross-proxy Digest auth state leak > * CVE-2026-6429: netrc credential leak with reused proxy connection > > ABI compatible as well.
In https://curl.se/ch/8.20.0.html I see: > Changes: > * async-thrdd: use thread queue for resolving > * build: make NTLM disabled by default > * cmake: drop support for CMake 3.17 and older > * lib: add thread pool and queue > * lib: drop support for < c-ares 1.16.0 > * lib: make SMB support opt-in > * multi.h: add CURLMNWC_CLEAR_ALL > * rtmp: drop support Quickly glancing at it, that look like changes not allowed under our stable policy. Sorry. > > > Regards, > Jaipaul Cheernam > > 🔗 EST Website<https://www.est.tech/> > 🔗 EST LinkedIn<https://www.linkedin.com/company/ericsson-software-technology/> > > From: Yoann Congal <[email protected]> > Date: Tuesday, 23 June 2026 at 10:07 > To: Jaipaul Cheernam <[email protected]>; > [email protected] > <[email protected]> > Subject: Re: [OE-core] [scarthgap][PATCH] curl: Fix CVE-2026-5773 - SMB > connection reuse across shares > > On Tue Jun 23, 2026 at 9:48 AM CEST, Jaipaul Cheernam via > lists.openembedded.org wrote: >> libcurl's SMB handler marks connections for reuse (connkeep) without >> verifying that subsequent requests target the same share. This allows >> a second SMB request to the same host to reuse a connection >> authenticated for a different share, potentially accessing data >> without proper authorization. >> >> The upstream fix removes connection reuse for SMB entirely in >> lib/protocol.c, a file introduced in curl 8.20.0. For 8.7.1, the >> equivalent fix is changing connkeep() to connclose() in lib/smb.c, >> which prevents the connection from being returned to the pool. >> >> Tested with SMBv1 server (Docker dperson/samba): >> Without patch: "Re-using existing connection" for different shares >> With patch: New connection per request, no reuse >> >> Binary verified: Curl_conncontrol arg changes from 0 (KEEP) to 1 (CLOSE) >> >> Reference: https://curl.se/docs/CVE-2026-5773.html >> >> Signed-off-by: Jaipaul Cheernam <[email protected]> >> --- > > Hello, > > The backported commit is in curl 8.20 but wrynose is only in 8.19. Can > you check if the fix is needed for wrynose (and send it there if that is > the case)? > > Thanks! > >> .../curl/curl/CVE-2026-5773.patch | 30 +++++++++++++++++++ >> meta/recipes-support/curl/curl_8.7.1.bb | 1 + >> 2 files changed, 31 insertions(+) >> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch >> >> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch >> b/meta/recipes-support/curl/curl/CVE-2026-5773.patch >> new file mode 100644 >> index 0000000000..a62b389d62 >> --- /dev/null >> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch >> @@ -0,0 +1,30 @@ >> +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001 >> +From: Daniel Stenberg <[email protected]> >> +Date: Sun, 5 Apr 2026 18:23:35 +0200 >> +Subject: [PATCH] smb: disable connection reuse >> + >> +Signed-off-by: Daniel Stenberg <[email protected]> >> + >> +CVE: CVE-2026-5773 >> +Upstream-Status: Backport >> [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571] >> + >> +(cherry picked from commit 74a169575d6412dc0ff532acdf94de35a6c2a571) >> +Signed-off-by: Jaipaul Cheernam <[email protected]> >> +--- >> + lib/smb.c | 3 +-- >> + 1 file changed, 1 insertion(+), 2 deletions(-) >> + >> +diff --git a/lib/smb.c b/lib/smb.c >> +index 7c73cbcec..a1f5c9b31 100644 >> +--- a/lib/smb.c >> ++++ b/lib/smb.c >> +@@ -461,8 +461,7 @@ static CURLcode smb_connect(struct Curl_easy *data, >> bool *done) >> + if(!smbc->send_buf) >> + return CURLE_OUT_OF_MEMORY; >> + >> +- /* Multiple requests are allowed with this connection */ >> +- connkeep(conn, "SMB default"); >> ++ connclose(conn, "SMB default"); >> + >> + /* Parse the username, domain, and password */ >> + slash = strchr(conn->user, '/'); >> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb >> b/meta/recipes-support/curl/curl_8.7.1.bb >> index 14d63d6373..d026731751 100644 >> --- a/meta/recipes-support/curl/curl_8.7.1.bb >> +++ b/meta/recipes-support/curl/curl_8.7.1.bb >> @@ -36,6 +36,7 @@ SRC_URI = " \ >> file://CVE-2026-1965-2.patch \ >> file://CVE-2026-3783.patch \ >> file://CVE-2026-3784.patch \ >> + file://CVE-2026-5773.patch \ >> " >> >> SRC_URI:append:class-nativesdk = " \ > > > -- > Yoann Congal > Smile ECS -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239343): https://lists.openembedded.org/g/openembedded-core/message/239343 Mute This Topic: https://lists.openembedded.org/mt/119937542/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
