Re: [OE-core] [scarthgap][PATCH v2] curl: fix CVE-2026-5773 - wrong reuse of SMB connection

Mon, 29 Jun 2026 22:20:02 -0700 

On Tue Jun 30, 2026 at 6:39 AM CEST, Jaipaul Cheernam wrote:
> Hi Yoann,
>
> I see that status in patch work shows Changes Requested but I didn’t see any 
> response on this mail thread .
>
> Can you check

That look like a mistake on my part, sorry.
I guess I was confused with the wrynose patch geting  v3 but not this
one.

To avoid that, in the future, you could add a small patch changelog,
like you did here:
https://lore.kernel.org/all/[email protected]/

I've re-added the patch into my review queue.

Thanks!

>
> Regards,
> Jaipaul
> ________________________________
> From: [email protected] 
> <[email protected]> on behalf of Jaipaul Cheernam via 
> lists.openembedded.org <[email protected]>
> Sent: Wednesday, June 24, 2026 10:34 AM
> To: [email protected] 
> <[email protected]>
> Cc: Jaipaul Cheernam <[email protected]>
> Subject: [OE-core] [scarthgap][PATCH v2] curl: fix CVE-2026-5773 - wrong 
> reuse of SMB connection
>
> libcurl's SMB handler marks connections for reuse (connkeep) without
> verifying that subsequent requests target the same share. This allows
> a second SMB request to the same host to reuse a connection
> authenticated for a different share, potentially accessing data
> without proper authorization.
>
> The upstream fix removes connection reuse for SMB entirely in
> lib/protocol.c, a file introduced in curl 8.20.0. For 8.7.1, the
> equivalent fix is changing connkeep() to connclose() in lib/smb.c,
> which prevents the connection from being returned to the pool.
>
> Tested with SMBv1 server (Docker dperson/samba):
>   Without patch: "Re-using existing connection" for different shares
>   With patch: New connection per request, no reuse
>
> Binary verified: Curl_conncontrol arg changes from 0 (KEEP) to 1 (CLOSE)
>
> Reference: https://curl.se/docs/CVE-2026-5773.html
>
> Signed-off-by: Jaipaul Cheernam <[email protected]>
> ---
>  .../curl/curl/CVE-2026-5773.patch             | 41 +++++++++++++++++++
>  meta/recipes-support/curl/curl_8.7.1.bb       |  1 +
>  2 files changed, 42 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch 
> b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> new file mode 100644
> index 0000000000..0a5fa588fe
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> @@ -0,0 +1,41 @@
> +From 74a169575d6412dc0ff532acdf94de35a6c2a571 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <[email protected]>
> +Date: Sun, 5 Apr 2026 18:23:35 +0200
> +Subject: [PATCH] protocol: disable connection reuse for SMB(S)
> +
> +Connections should only be reused when using the same "share" (and
> +perhaps some additional conditions), but instead of fixing this flaw,
> +this change completely disables connection reuse for SMB. This protocol
> +is about to get dropped soon anyway.
> +
> +Reported-by: Osama Hamad
> +Closes #21238
> +Signed-off-by: Daniel Stenberg <[email protected]>
> +
> +CVE: CVE-2026-5773
> +Upstream-Status: Backport 
> [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
> +
> +Note: The upstream fix targets lib/protocol.c which was introduced in
> +curl 8.20.0. In 8.7.1 the equivalent is changing connkeep() to
> +connclose() in lib/smb.c, which prevents the connection from being
> +returned to the pool. The effect is identical.
> +
> +Signed-off-by: Jaipaul Cheernam <[email protected]>
> +---
> + lib/smb.c | 3 +--
> + 1 file changed, 1 insertion(+), 2 deletions(-)
> +
> +diff --git a/lib/smb.c b/lib/smb.c
> +index 7c73cbcec..a1f5c9b31 100644
> +--- a/lib/smb.c
> ++++ b/lib/smb.c
> +@@ -461,8 +461,7 @@ static CURLcode smb_connect(struct Curl_easy *data, bool 
> *done)
> +   if(!smbc->send_buf)
> +     return CURLE_OUT_OF_MEMORY;
> +
> +-  /* Multiple requests are allowed with this connection */
> +-  connkeep(conn, "SMB default");
> ++  connclose(conn, "SMB default");
> +
> +   /* Parse the username, domain, and password */
> +   slash = strchr(conn->user, '/');
> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb 
> b/meta/recipes-support/curl/curl_8.7.1.bb
> index 14d63d6373..d026731751 100644
> --- a/meta/recipes-support/curl/curl_8.7.1.bb
> +++ b/meta/recipes-support/curl/curl_8.7.1.bb
> @@ -36,6 +36,7 @@ SRC_URI = " \
>      file://CVE-2026-1965-2.patch \
>      file://CVE-2026-3783.patch \
>      file://CVE-2026-3784.patch \
> +    file://CVE-2026-5773.patch \
>  "
>
>  SRC_URI:append:class-nativesdk = " \
> --
> 2.34.1


-- 
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239839): 
https://lists.openembedded.org/g/openembedded-core/message/239839
Mute This Topic: https://lists.openembedded.org/mt/120042564/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to