On Fri Jul 3, 2026 at 11:25 AM CEST, Jaipaul Cheernam via 
lists.openembedded.org wrote:
> Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
> connection pooling. Without this, a second SMB request to the same
> host reuses a connection authenticated for a different share.
>
> Reference: https://curl.se/docs/CVE-2026-5773.html
>
> Signed-off-by: Jaipaul Cheernam <[email protected]>
> ---
> Changes v3 -> v4:
>   - Rebased on latest wrynose (5d1aa5c806c0)
>   - Refreshed patch context to eliminate fuzz on hunk #2
>
>  .../curl/curl/CVE-2026-5773.patch             | 48 +++++++++++++++++++
>  meta/recipes-support/curl/curl_8.19.0.bb      |  1 +
>  2 files changed, 49 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch 
> b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> new file mode 100644
> index 0000000000..1b60191da8
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
> @@ -0,0 +1,48 @@
> +From e5c7f93734345260820ca46b29db85f75d277399 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <[email protected]>
> +Date: Sun, 5 Apr 2026 18:23:35 +0200
> +Subject: [PATCH] protocol: disable connection reuse for SMB(S)
> +
> +Connections should only be reused when using the same "share" (and
> +perhaps some additional conditions), but instead of fixing this flaw,
> +this change completely disables connection reuse for SMB. This protocol
> +is about to get dropped soon anyway.
> +
> +Reported-by: Osama Hamad
> +Closes #21238
> +Signed-off-by: Daniel Stenberg <[email protected]>
> +
> +CVE: CVE-2026-5773
> +Upstream-Status: Backport 
> [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]

Hello,

The referenced upstream patch does not have
"Signed-off-by: Daniel Stenberg <[email protected]>".
Why did you add it?

Regards,

> +
> +Note: The upstream fix targets lib/protocol.c which was introduced in
> +curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
> +so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
> +identical: SMB connections are no longer pooled for reuse.
> +
> +Signed-off-by: Jaipaul Cheernam <[email protected]>
> +---
> + lib/smb.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/smb.c b/lib/smb.c
> +index 00297ad..c15fdce 100644
> +--- a/lib/smb.c
> ++++ b/lib/smb.c
> +@@ -1242,7 +1242,7 @@ const struct Curl_scheme Curl_scheme_smb = {
> + #endif
> +   CURLPROTO_SMB,                        /* protocol */
> +   CURLPROTO_SMB,                        /* family */
> +-  PROTOPT_CONN_REUSE,                   /* flags */
> ++  PROTOPT_NONE,                         /* flags */
> +   PORT_SMB,                             /* defport */
> + };
> + 
> +@@ -1259,6 +1259,6 @@ const struct Curl_scheme Curl_scheme_smbs = {
> + #endif
> +   CURLPROTO_SMBS,                       /* protocol */
> +   CURLPROTO_SMB,                        /* family */
> +-  PROTOPT_SSL | PROTOPT_CONN_REUSE,     /* flags */
> ++  PROTOPT_SSL,                          /* flags */
> +   PORT_SMBS,                            /* defport */
> + };
> diff --git a/meta/recipes-support/curl/curl_8.19.0.bb 
> b/meta/recipes-support/curl/curl_8.19.0.bb
> index d58b774011..3326f478b5 100644
> --- a/meta/recipes-support/curl/curl_8.19.0.bb
> +++ b/meta/recipes-support/curl/curl_8.19.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = " \
>      file://disable-tests \
>      file://no-test-timeout.patch \
>      file://CVE-2026-6276.patch \
> +    file://CVE-2026-5773.patch \
>      file://mbedtls.patch \
>  "
>  

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240153): 
https://lists.openembedded.org/g/openembedded-core/message/240153
Mute This Topic: https://lists.openembedded.org/mt/120097219/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to