On Mon Jun 29, 2026 at 3:14 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS 
PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <[email protected]>
>
> Backport the upstream fix [1] for the netrc credential leak on redirect
> described in [2] and tracked by [3].
>
> [1] 
> https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
> [2] https://curl.se/docs/CVE-2026-6429.html
> [3] https://nvd.nist.gov/vuln/detail/CVE-2026-6429
>
> Signed-off-by: Anil Dongare <[email protected]>
> ---
>  .../curl/curl/CVE-2026-6429.patch             | 362 ++++++++++++++++++
>  meta/recipes-support/curl/curl_8.19.0.bb      |   1 +
>  2 files changed, 363 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2026-6429.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-6429.patch 
> b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> new file mode 100644
> index 0000000000..f4398e00f6
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-6429.patch
> @@ -0,0 +1,362 @@
> +From b4024bf808bd558026fdc6096e8457f199ace306 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <[email protected]>
> +Date: Thu, 16 Apr 2026 14:26:20 +0200
> +Subject: [PATCH] http: clear credentials better on redirect
> +
> +Verify with test 2506: netrc with redirect using proxy
> +
> +Updated test 998 which was wrong.
> +
> +Reported-by: Muhamad Arga Reksapati
> +
> +Closes #21345
> +
> +CVE: CVE-2026-6429
> +Upstream-Status: Backport 
> [https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306]
> +
> +Backport Changes:
> +- curl 8.19.0 does not have Curl_url_same_origin(), so the same-origin 
> comparison is kept inline in Curl_http_follow().
> +- Adapted tests/data/Makefile.am and tests/libtest/Makefile.inc placement 
> for the wrynose test lists.
> +
> +(cherry picked from commit b4024bf808bd558026fdc6096e8457f199ace306)
> +Signed-off-by: Anil Dongare <[email protected]>
> +---
> + lib/http.c                 | 121 +++++++++++++++++++------------------
> + tests/data/Makefile.am     |   2 +-
> + tests/data/test2506        |  64 ++++++++++++++++++++
> + tests/data/test998         |   1 -
> + tests/libtest/Makefile.inc |   2 +-
> + tests/libtest/lib2506.c    |  71 ++++++++++++++++++++++
> + 6 files changed, 198 insertions(+), 63 deletions(-)
> + create mode 100644 tests/data/test2506
> + create mode 100644 tests/libtest/lib2506.c
> +
> +diff --git a/lib/http.c b/lib/http.c
> +index b960d79..9ac96ad 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -1201,75 +1201,76 @@ CURLcode Curl_http_follow(struct Curl_easy *data, 
> const char *newurl,
> +       return CURLE_OUT_OF_MEMORY;
> +   }
> +   else {
> +-    uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> +-    if(uc)
> +-      return Curl_uc_to_curlcode(uc);
> +-
> +-    /* Clear auth if this redirects to a different port number or protocol,
> +-       unless permitted */
> +-    if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
> +-      int port;
> +-      bool clear = FALSE;
> ++    bool same_origin;
> ++    CURLcode result;
> ++    CURLU *u = curl_url();
> ++    char *oldscheme = NULL;
> ++    char *oldhost = NULL;
> ++    char *oldport = NULL;
> ++    char *newscheme = NULL;
> ++    char *newhost = NULL;
> ++    char *newport = NULL;
> ++    if(!u)
> ++      return CURLE_OUT_OF_MEMORY;
> + 
> +-      if(data->set.use_port && data->state.allow_port)
> +-        /* a custom port is used */
> +-        port = (int)data->set.use_port;
> +-      else {
> +-        curl_off_t value;
> +-        char *portnum;
> +-        const char *p;
> +-        uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
> +-                          CURLU_DEFAULT_PORT);
> +-        if(uc) {
> +-          curlx_free(follow_url);
> +-          return Curl_uc_to_curlcode(uc);
> +-        }
> +-        p = portnum;
> +-        curlx_str_number(&p, &value, 0xffff);
> +-        port = (int)value;
> +-        curlx_free(portnum);
> +-      }
> +-      if(port != data->info.conn_remote_port) {
> +-        infof(data, "Clear auth, redirects to port from %u to %u",
> +-              data->info.conn_remote_port, port);
> +-        clear = TRUE;
> +-      }
> +-      else {
> +-        char *scheme;
> +-        const struct Curl_scheme *p;
> +-        uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
> +-        if(uc) {
> +-          curlx_free(follow_url);
> +-          return Curl_uc_to_curlcode(uc);
> +-        }
> ++    uc = curl_url_set(u, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
> ++                      CURLU_URLENCODE | CURLU_ALLOW_SPACE);
> ++    if(!uc)
> ++      uc = curl_url_get(data->state.uh, CURLUPART_URL, &follow_url, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(u, CURLUPART_SCHEME, &oldscheme, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(u, CURLUPART_HOST, &oldhost, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(u, CURLUPART_PORT, &oldport, CURLU_DEFAULT_PORT);
> ++    if(!uc)
> ++      uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &newscheme, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(data->state.uh, CURLUPART_HOST, &newhost, 0);
> ++    if(!uc)
> ++      uc = curl_url_get(data->state.uh, CURLUPART_PORT, &newport,
> ++                        CURLU_DEFAULT_PORT);
> ++    if(uc) {
> ++      curl_url_cleanup(u);
> ++      curlx_free(oldscheme);
> ++      curlx_free(oldhost);
> ++      curlx_free(oldport);
> ++      curlx_free(newscheme);
> ++      curlx_free(newhost);
> ++      curlx_free(newport);
> ++      curlx_free(follow_url);
> ++      return Curl_uc_to_curlcode(uc);
> ++    }
> + 
> +-        p = Curl_get_scheme(scheme);
> +-        if(p && (p->protocol != data->info.conn_protocol)) {
> +-          infof(data, "Clear auth, redirects scheme from %s to %s",
> +-                data->info.conn_scheme, scheme);
> +-          clear = TRUE;
> +-        }
> +-        curlx_free(scheme);
> +-      }
> +-      if(clear) {
> +-        CURLcode result = Curl_reset_userpwd(data);
> +-        if(result) {
> +-          curlx_free(follow_url);
> +-          return result;
> +-        }
> +-        Curl_safefree(data->state.aptr.user);
> +-        Curl_safefree(data->state.aptr.passwd);
> ++    same_origin = strcasecompare(oldscheme, newscheme) &&
> ++                  strcasecompare(oldhost, newhost) &&
> ++                  !strcmp(oldport, newport);

That code (which is not in the upstream patch) failed to build on my
machine:
$ bitbake curl-native
| ../../sources/curl-8.19.0/lib/http.c:1245:19: error: implicit declaration of 
function ‘strcasecompare’; did you mean ‘strcasecmp_l’? 
[-Wimplicit-function-declaration]
|  1245 |     same_origin = strcasecompare(oldscheme, newscheme) &&
|       |                   ^~~~~~~~~~~~~~
|       |                   strcasecmp_l

Can you check please?

Thanks!
-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240101): 
https://lists.openembedded.org/g/openembedded-core/message/240101
Mute This Topic: https://lists.openembedded.org/mt/120029894/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
      • ... Yoann Congal via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
      • ... Yoann Congal via lists.openembedded.org
        • ... Sudhir Dumbhare via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org

Reply via email to