On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <[email protected]> > > Backport the upstream fix [1] for the netrc credential leak on redirect > described in [2] and tracked by [3]. > > [1] > https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306 > [2] https://curl.se/docs/CVE-2026-6429.html > [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429 > > Signed-off-by: Anil Dongare <[email protected]> > --- > .../curl/curl/CVE-2026-6429.patch | 362 ++++++++++++++++++ > meta/recipes-support/curl/curl_8.19.0.bb | 1 + > 2 files changed, 363 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch > b/meta/recipes-support/curl/curl/CVE-2026-6429.patch > new file mode 100644 > index 0000000000..f4398e00f6 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch > @@ -0,0 +1,362 @@ > +From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <[email protected]> > +Date: Thu, 16 Apr 2026 14:26:20 +0200 > +Subject: [PATCH] http: clear credentials better on redirect > + > +Verify with test 2506: netrc with redirect using proxy > + > +Updated test 998 which was wrong. > + > +Reported-by: Muhamad Arga Reksapati > + > +Closes #21345 > + > +CVE: CVE-2026-6429 > +Upstream-Status: Backport > [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306] > + > +Backport Changes: > +- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin > comparison is kept inline in Curl_http_follow(). > +- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement > for the wrynose test lists. > + > +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306) > +Signed-off-by: Anil Dongare <[email protected]> > +--- > + lib/http.c | 121 +++++++++++++++++++------------------ > + tests/data/Makefile.am | 2 +- > + tests/data/test2506 | 64 ++++++++++++++++++++ > + tests/data/test998 | 1 - > + tests/libtest/Makefile.inc | 2 +- > + tests/libtest/lib2506.c | 71 ++++++++++++++++++++++ > + 6 files changed, 198 insertions(+), 63 deletions(-) > + create mode 100644 tests/data/test2506 > + create mode 100644 tests/libtest/lib2506.c > + > +diff --git a/lib/http.c b/lib/http.c > +index b960d79..9ac96ad 100644 > +--- a/lib/http.c > ++++ b/lib/http.c > +@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, > const char *newurl, > + return CURLE_OUT_OF_MEMORY; > + } > + else { > +- uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0); > +- if(uc) > +- return Curl_uc_to_curlcode(uc); > +- > +- /* Clear auth if this redirects to a different port number or protocol, > +- unless permitted */ > +- if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { > +- int port; > +- bool clear = FALSE; > ++ bool same_origin; > ++ CURLcode result; > ++ CURLU *u = curl_url(); > ++ char *oldscheme = NULL; > ++ char *oldhost = NULL; > ++ char *oldport = NULL; > ++ char *newscheme = NULL; > ++ char *newhost = NULL; > ++ char *newport = NULL; > ++ if(!u) > ++ return CURLE_OUT_OF_MEMORY; > + > +- if(data->set.use_port && data->state.allow_port) > +- /* a custom port is used */ > +- port = (int)data->set.use_port; > +- else { > +- curl_off_t value; > +- char *portnum; > +- const char *p; > +- uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, > +- CURLU_DEFAULT_PORT); > +- if(uc) { > +- curlx_free(follow_url); > +- return Curl_uc_to_curlcode(uc); > +- } > +- p = portnum; > +- curlx_str_number(&p, &value, 0xffff); > +- port = (int)value; > +- curlx_free(portnum); > +- } > +- if(port != data->info.conn_remote_port) { > +- infof(data, "Clear auth, redirects to port from %u to %u", > +- data->info.conn_remote_port, port); > +- clear = TRUE; > +- } > +- else { > +- char *scheme; > +- const struct Curl_scheme *p; > +- uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); > +- if(uc) { > +- curlx_free(follow_url); > +- return Curl_uc_to_curlcode(uc); > +- } > ++ uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url), > ++ CURLU_URLENCODE | CURLU_ALLOW_SPACE); > ++ if(!uc) > ++ uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0); > ++ if(!uc) > ++ uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0); > ++ if(!uc) > ++ uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0); > ++ if(!uc) > ++ uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT); > ++ if(!uc) > ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0); > ++ if(!uc) > ++ uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0); > ++ if(!uc) > ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport, > ++ CURLU_DEFAULT_PORT); > ++ if(uc) { > ++ curl_url_cleanup(u); > ++ curlx_free(oldscheme); > ++ curlx_free(oldhost); > ++ curlx_free(oldport); > ++ curlx_free(newscheme); > ++ curlx_free(newhost); > ++ curlx_free(newport); > ++ curlx_free(follow_url); > ++ return Curl_uc_to_curlcode(uc); > ++ } > + > +- p = Curl_get_scheme(scheme); > +- if(p && (p->protocol != data->info.conn_protocol)) { > +- infof(data, "Clear auth, redirects scheme from %s to %s", > +- data->info.conn_scheme, scheme); > +- clear = TRUE; > +- } > +- curlx_free(scheme); > +- } > +- if(clear) { > +- CURLcode result = Curl_reset_userpwd(data); > +- if(result) { > +- curlx_free(follow_url); > +- return result; > +- } > +- Curl_safefree(data->state.aptr.user); > +- Curl_safefree(data->state.aptr.passwd); > ++ same_origin = strcasecompare(oldscheme, newscheme) && > ++ strcasecompare(oldhost, newhost) && > ++ !strcmp(oldport, newport);
That code (which is not in the upstream patch) failed to build on my machine: $ bitbake curl-native | ../../sources/curl-8.19.0/lib/http.c:1245:19: error: implicit declaration of function ‘strcasecompare’; did you mean ‘strcasecmp_l’? [-Wimplicit-function-declaration] | 1245 | same_origin = strcasecompare(oldscheme, newscheme) && | | ^~~~~~~~~~~~~~ | | strcasecmp_l Can you check please? Thanks! -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240101): https://lists.openembedded.org/g/openembedded-core/message/240101 Mute This Topic: https://lists.openembedded.org/mt/120029894/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
