Hello, On Tue Jun 23, 2026 at 2:08 PM CEST, Jaipaul Cheernam via lists.openembedded.org wrote: > Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent > connection pooling. Without this, a second SMB request to the same > host reuses a connection authenticated for a different share.
In the commit message, you should justify why the patch you trying to merge does indeed fix the CVE. You can use NVD, Debian security tracker or upstream as easy/natural reference (but other may be accepted). In this case, all 3 point to your patch so you can choose. You can look at other CVE fixing patches to get examples. > > Signed-off-by: Jaipaul Cheernam <[email protected]> > --- > .../curl/curl/CVE-2026-5773.patch | 44 +++++++++++++++++++ > meta/recipes-support/curl/curl_8.19.0.bb | 1 + > 2 files changed, 45 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch > b/meta/recipes-support/curl/curl/CVE-2026-5773.patch > new file mode 100644 > index 0000000000..c2984de5ff > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch > @@ -0,0 +1,44 @@ > +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <[email protected]> > +Date: Sun, 5 Apr 2026 18:23:35 +0200 > +Subject: [PATCH] smb: disable connection reuse > + > +Connections should only be reused when using the same "share" (and > +perhaps some additional conditions), but instead of fixing this flaw, > +this change completely disables connection reuse for SMB. > + > +Reported-by: Osama Hamad > +Closes #21238 > + > +Signed-off-by: Daniel Stenberg <[email protected]> > + > +CVE: CVE-2026-5773 > +Upstream-Status: Backport > [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571] > + > +(cherry picked from commit 74a169575d6412dc0ff532acdf94de35a6c2a571) ^ that "cherry picked" line has no use here. You can remove it. This patch is a little different from the upstream patch: * Not the same file patched: please add a note explaining the changes and why you did them. * Also, the patch message was edited: we don't usualy do this: If you need to add info/context keep them in a note section you add to the patch message. e.g between Upstream-Status and your Signed-off-by. With that fixed, ht epatch should be good to go, thanks! > +Signed-off-by: Jaipaul Cheernam <[email protected]> > +--- > + lib/smb.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/lib/smb.c b/lib/smb.c > +index ccd4f3f69d..2a9f08388f 100644 > +--- a/lib/smb.c > ++++ b/lib/smb.c > +@@ -1242,7 +1242,7 @@ > + #endif > + CURLPROTO_SMB, /* protocol */ > + CURLPROTO_SMB, /* family */ > +- PROTOPT_CONN_REUSE, /* flags */ > ++ PROTOPT_NONE, /* flags */ > + PORT_SMB, /* defport */ > + }; > + > +@@ -1259,7 +1259,7 @@ > + #endif > + CURLPROTO_SMBS, /* protocol */ > + CURLPROTO_SMB, /* family */ > +- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */ > ++ PROTOPT_SSL, /* flags */ > + PORT_SMBS, /* defport */ > + }; > diff --git a/meta/recipes-support/curl/curl_8.19.0.bb > b/meta/recipes-support/curl/curl_8.19.0.bb > index d58b774011..3326f478b5 100644 > --- a/meta/recipes-support/curl/curl_8.19.0.bb > +++ b/meta/recipes-support/curl/curl_8.19.0.bb > @@ -15,6 +15,7 @@ SRC_URI = " \ > file://disable-tests \ > file://no-test-timeout.patch \ > file://CVE-2026-6276.patch \ > + file://CVE-2026-5773.patch \ > file://mbedtls.patch \ > " > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239420): https://lists.openembedded.org/g/openembedded-core/message/239420 Mute This Topic: https://lists.openembedded.org/mt/119939359/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
