git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

author	Yogita Urade <yogita.urade@windriver.com>
	Wed, 24 Sep 2025 09:56:40 +0000 (15:26 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Fri, 26 Sep 2025 14:04:59 +0000 (07:04 -0700)
commit	dc842a631b178acd9c4f00c4a3b87831baf08ebb
tree	6f668821b9d5676b227e347956f96efbfb047e52	tree \| snapshot
parent	d6572d29892b7da593acafe3af68cf98230acf04	commit \| diff

curl: fix CVE-2025-9086

1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086

Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-support/curl/curl/CVE-2025-9086.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl_7.82.0.bb		diff \| blob \| blame \| history