On Fri Mar 20, 2026 at 4:18 PM CET, Vijay Anusuri via lists.openembedded.org wrote: > Hi Fabien Thomas, > > Thanks for providing the feedback. > > On Fri, Mar 20, 2026 at 7:59 PM Fabien Thomas <[email protected]> > wrote: > >> On Fri Mar 20, 2026 at 8:56 AM CET, Vijay Anusuri via >> lists.openembedded.org wrote: >> > From: Vijay Anusuri <[email protected]> >> > >> > import patch from ubuntu to fix >> > CVE-2026-3784 >> > >> > Upstream-Status: Backport [import from ubuntu >> curl_7.81.0-1ubuntu1.23.debian.tar.xz >> > Upstream commit >> https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] >> > >> > Reference: https://curl.se/docs/CVE-2026-3784.html >> > https://ubuntu.com/security/CVE-2026-3784 >> > >> > Signed-off-by: Vijay Anusuri <[email protected]> >> > --- >> > .../curl/curl/CVE-2026-3784.patch | 74 +++++++++++++++++++ >> > meta/recipes-support/curl/curl_7.82.0.bb | 1 + >> > 2 files changed, 75 insertions(+) >> > create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch >> > >> > diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch >> b/meta/recipes-support/curl/curl/CVE-2026-3784.patch >> > new file mode 100644 >> > index 0000000000..8f3d56bab9 >> > --- /dev/null >> > +++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch >> > @@ -0,0 +1,74 @@ >> > +Backport of: >> > + >> > +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 >> > +From: Stefan Eissing <[email protected]> >> > +Date: Fri, 6 Mar 2026 14:54:09 +0100 >> > +Subject: [PATCH] proxy-auth: additional tests >> > + >> > +Also eliminate the special handling for socks proxy match. >> > + >> > +Closes #20837 >> > + >> > +Upstream-Status: Backport [import from ubuntu >> curl_7.81.0-1ubuntu1.23.debian.tar.xz >> > +Upstream commit >> https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] >> > +CVE: CVE-2026-3784 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + lib/url.c | 28 +++++++--------------------- >> > + tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++ >> > + tests/http/testenv/curl.py | 18 +++++++++++++++--- >> > + 3 files changed, 42 insertions(+), 24 deletions(-) >> > + >> > +--- a/lib/url.c >> > ++++ b/lib/url.c >> > +@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in >> > + { >> > + if((data->proxytype == needle->proxytype) && >> > + (data->port == needle->port) && >> > +- Curl_safe_strcasecompare(data->host.name, needle->host.name)) >> > +- return TRUE; >> > ++ curl_strequal(data->host.name, needle->host.name)) { >> > + >> > ++ if(Curl_timestrcmp(data->user, needle->user) || >> > ++ Curl_timestrcmp(data->passwd, needle->passwd)) >> > ++ return FALSE; >> > ++ return TRUE; >> > ++ } >> > + return FALSE; >> > + } >> > +- >> > +-static bool >> > +-socks_proxy_info_matches(const struct proxy_info *data, >> > +- const struct proxy_info *needle) >> > +-{ >> > +- if(!proxy_info_matches(data, needle)) >> > +- return FALSE; >> > +- >> > +- /* the user information is case-sensitive >> > +- or at least it is not defined as case-insensitive >> > +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 >> */ >> > +- >> > +- /* curl_strequal does a case insentive comparison, so do not use it >> here! */ >> > +- if(Curl_timestrcmp(data->user, needle->user) || >> > +- Curl_timestrcmp(data->passwd, needle->passwd)) >> > +- return FALSE; >> > +- return TRUE; >> > +-} >> > +-#else >> > +-/* disabled, won't get called */ >> > +-#define proxy_info_matches(x,y) FALSE >> > +-#define socks_proxy_info_matches(x,y) FALSE >> > + #endif >> > + >> > + /* A connection has to have been idle for a shorter time than >> 'maxage_conn' >> > +@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data, >> > + continue; >> > + >> > + if(needle->bits.socksproxy && >> > +- !socks_proxy_info_matches(&needle->socks_proxy, >> > +- &check->socks_proxy)) >> > ++ !proxy_info_matches(&needle->socks_proxy, >> > ++ &check->socks_proxy)) >> > + continue; >> > + #endif >> > + if(needle->bits.conn_to_host != check->bits.conn_to_host) >> > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb >> b/meta/recipes-support/curl/curl_7.82.0.bb >> > index 8fdd954c7e..c33183e096 100644 >> > --- a/meta/recipes-support/curl/curl_7.82.0.bb >> > +++ b/meta/recipes-support/curl/curl_7.82.0.bb >> > @@ -74,6 +74,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ >> > file://CVE-2026-1965-1.patch \ >> > file://CVE-2026-1965-2.patch \ >> > file://CVE-2026-3783.patch \ >> > + file://CVE-2026-3784.patch \ >> > " >> > SRC_URI[sha256sum] = >> "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" >> > >> Hi Vijay, >> >> This my general feedback on the whole curl patch series. >> >> I noticed quite big differences between the upstream commits you cited and >> the >> ones actually provided in this series. If these backports are from Ubuntu >> or Debian, please include the direct links to those commits as well. >> >> --> The previous Ubuntu commit link ( > https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches?h=ubuntu/jammy-security) > is currently not accessible. > > I’ve referenced the tarball version instead: > https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz > > Would it be okay if I include this download link in the patch?
How about: > Upstream-Status: Backport > [https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364] > Backported by Ubuntu team > https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz This way, we have traceability from upstream and we know where the patch comes from. But beware, Ubuntu might have earlier patches that we do not have. I will review differences between this patch and upstream patch. So, any needed context will be appreciated. Thanks! >> Additionally, your backport for CVE-2025-14524 ([PATCH 1/4]) differs >> from the one by Amaury Couderc, which has already been merged into >> scarthgap. >> Maybe it would be simplier to cherry-picked it ? >> > > --> Version in kirkstone is different from scarthgap. I will try to > cherry-pick and send a V2 patch. > >> >> One last detail regarding formatting: the last four patches include >> a 'Backport of' prefix in the patch header. While not strictly forbidden, >> this is unusual and adds unnecessary noise. >> Could you please remove these headers next time? >> > > --> Sure. I will remove those unusual headers. > >> >> Thanks. >> >> Regards, >> -- >> Fabien Thomas >> Smile ECS >> >> > Thanks & Regards, > Vijay -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233614): https://lists.openembedded.org/g/openembedded-core/message/233614 Mute This Topic: https://lists.openembedded.org/mt/118414027/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
