Hi Fabien Thomas, Thanks for providing the feedback.
On Fri, Mar 20, 2026 at 7:59 PM Fabien Thomas <[email protected]> wrote: > On Fri Mar 20, 2026 at 8:56 AM CET, Vijay Anusuri via > lists.openembedded.org wrote: > > From: Vijay Anusuri <[email protected]> > > > > import patch from ubuntu to fix > > CVE-2026-3784 > > > > Upstream-Status: Backport [import from ubuntu > curl_7.81.0-1ubuntu1.23.debian.tar.xz > > Upstream commit > https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] > > > > Reference: https://curl.se/docs/CVE-2026-3784.html > > https://ubuntu.com/security/CVE-2026-3784 > > > > Signed-off-by: Vijay Anusuri <[email protected]> > > --- > > .../curl/curl/CVE-2026-3784.patch | 74 +++++++++++++++++++ > > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > > 2 files changed, 75 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch > b/meta/recipes-support/curl/curl/CVE-2026-3784.patch > > new file mode 100644 > > index 0000000000..8f3d56bab9 > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch > > @@ -0,0 +1,74 @@ > > +Backport of: > > + > > +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 > > +From: Stefan Eissing <[email protected]> > > +Date: Fri, 6 Mar 2026 14:54:09 +0100 > > +Subject: [PATCH] proxy-auth: additional tests > > + > > +Also eliminate the special handling for socks proxy match. > > + > > +Closes #20837 > > + > > +Upstream-Status: Backport [import from ubuntu > curl_7.81.0-1ubuntu1.23.debian.tar.xz > > +Upstream commit > https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] > > +CVE: CVE-2026-3784 > > +Signed-off-by: Vijay Anusuri <[email protected]> > > +--- > > + lib/url.c | 28 +++++++--------------------- > > + tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++ > > + tests/http/testenv/curl.py | 18 +++++++++++++++--- > > + 3 files changed, 42 insertions(+), 24 deletions(-) > > + > > +--- a/lib/url.c > > ++++ b/lib/url.c > > +@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in > > + { > > + if((data->proxytype == needle->proxytype) && > > + (data->port == needle->port) && > > +- Curl_safe_strcasecompare(data->host.name, needle->host.name)) > > +- return TRUE; > > ++ curl_strequal(data->host.name, needle->host.name)) { > > + > > ++ if(Curl_timestrcmp(data->user, needle->user) || > > ++ Curl_timestrcmp(data->passwd, needle->passwd)) > > ++ return FALSE; > > ++ return TRUE; > > ++ } > > + return FALSE; > > + } > > +- > > +-static bool > > +-socks_proxy_info_matches(const struct proxy_info *data, > > +- const struct proxy_info *needle) > > +-{ > > +- if(!proxy_info_matches(data, needle)) > > +- return FALSE; > > +- > > +- /* the user information is case-sensitive > > +- or at least it is not defined as case-insensitive > > +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 > */ > > +- > > +- /* curl_strequal does a case insentive comparison, so do not use it > here! */ > > +- if(Curl_timestrcmp(data->user, needle->user) || > > +- Curl_timestrcmp(data->passwd, needle->passwd)) > > +- return FALSE; > > +- return TRUE; > > +-} > > +-#else > > +-/* disabled, won't get called */ > > +-#define proxy_info_matches(x,y) FALSE > > +-#define socks_proxy_info_matches(x,y) FALSE > > + #endif > > + > > + /* A connection has to have been idle for a shorter time than > 'maxage_conn' > > +@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data, > > + continue; > > + > > + if(needle->bits.socksproxy && > > +- !socks_proxy_info_matches(&needle->socks_proxy, > > +- &check->socks_proxy)) > > ++ !proxy_info_matches(&needle->socks_proxy, > > ++ &check->socks_proxy)) > > + continue; > > + #endif > > + if(needle->bits.conn_to_host != check->bits.conn_to_host) > > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb > b/meta/recipes-support/curl/curl_7.82.0.bb > > index 8fdd954c7e..c33183e096 100644 > > --- a/meta/recipes-support/curl/curl_7.82.0.bb > > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > > @@ -74,6 +74,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > > file://CVE-2026-1965-1.patch \ > > file://CVE-2026-1965-2.patch \ > > file://CVE-2026-3783.patch \ > > + file://CVE-2026-3784.patch \ > > " > > SRC_URI[sha256sum] = > "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > > > Hi Vijay, > > This my general feedback on the whole curl patch series. > > I noticed quite big differences between the upstream commits you cited and > the > ones actually provided in this series. If these backports are from Ubuntu > or Debian, please include the direct links to those commits as well. > > --> The previous Ubuntu commit link ( https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches?h=ubuntu/jammy-security) is currently not accessible. I’ve referenced the tarball version instead: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz Would it be okay if I include this download link in the patch? > Additionally, your backport for CVE-2025-14524 ([PATCH 1/4]) differs > from the one by Amaury Couderc, which has already been merged into > scarthgap. > Maybe it would be simplier to cherry-picked it ? > --> Version in kirkstone is different from scarthgap. I will try to cherry-pick and send a V2 patch. > > One last detail regarding formatting: the last four patches include > a 'Backport of' prefix in the patch header. While not strictly forbidden, > this is unusual and adds unnecessary noise. > Could you please remove these headers next time? > --> Sure. I will remove those unusual headers. > > Thanks. > > Regards, > -- > Fabien Thomas > Smile ECS > > Thanks & Regards, Vijay
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233613): https://lists.openembedded.org/g/openembedded-core/message/233613 Mute This Topic: https://lists.openembedded.org/mt/118414027/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
