From 606dadfa99d47c4bd2cf3b022b047b0bcbcfcb86 Mon Sep 17 00:00:00 2001
From: Robert Joslyn <robert.joslyn@redrectangle.org>
Date: Fri, 9 Jan 2026 06:33:11 -0800
Subject: [PATCH] curl: Update to 8.18.0

Addresses six CVEs from 8.17.0:
 * CVE-2025-13034
 * CVE-2025-14017
 * CVE-2025-14524
 * CVE-2025-14819
 * CVE-2025-15079
 * CVE-2025-15224

https://curl.se/ch/8.18.0.html

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-support/curl/curl/no-test-timeout.patch     | 9 +++++----
 .../curl/{curl_8.17.0.bb => curl_8.18.0.bb}              | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)
 rename meta/recipes-support/curl/{curl_8.17.0.bb => curl_8.18.0.bb} (98%)

diff --git a/meta/recipes-support/curl/curl/no-test-timeout.patch b/meta/recipes-support/curl/curl/no-test-timeout.patch
index 34e46fed6d..3ece55cab6 100644
--- a/meta/recipes-support/curl/curl/no-test-timeout.patch
+++ b/meta/recipes-support/curl/curl/no-test-timeout.patch
@@ -1,7 +1,8 @@
-From 42cddb52e821cfc2f09f1974742714e5f2f1856e Mon Sep 17 00:00:00 2001
+From 30fb6d1ce4cc721feef5665934f2b7f83fb50efb Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@arm.com>
 Date: Fri, 15 Mar 2024 14:37:37 +0000
 Subject: [PATCH] Set the max-time timeout to 600 so the timeout is 10 minutes
+
  instead of 13 seconds.
 
 Upstream-Status: Inappropriate
@@ -11,12 +12,12 @@ Signed-off-by: Ross Burton <ross.burton@arm.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/tests/servers.pm b/tests/servers.pm
-index d4472d5..9999938 100644
+index 5d5d98b..442cfaf 100644
 --- a/tests/servers.pm
 +++ b/tests/servers.pm
-@@ -125,7 +125,7 @@ my $sshdverstr;  # for socks server, ssh daemon version string
+@@ -124,7 +124,7 @@ my $sshdverstr;  # for socks server, ssh daemon version string
  my $sshderror;   # for socks server, ssh daemon version error
- my %doesntrun;    # servers that don't work, identified by pidfile
+ my %doesntrun;    # servers that do not work, identified by pidfile
  my %PORT = (nolisten => 47); # port we use for a local non-listening service
 -my $server_response_maxtime=13;
 +my $server_response_maxtime=600;
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.18.0.bb
similarity index 98%
rename from meta/recipes-support/curl/curl_8.17.0.bb
rename to meta/recipes-support/curl/curl_8.18.0.bb
index 315364902e..b94da348b7 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.18.0.bb
@@ -20,7 +20,7 @@ SRC_URI:append:class-nativesdk = " \
            file://environment.d-curl.sh \
 "
 
-SRC_URI[sha256sum] = "955f6e729ad6b3566260e8fef68620e76ba3c31acf0a18524416a185acf77992"
+SRC_URI[sha256sum] = "40df79166e74aa20149365e11ee4c798a46ad57c34e4f68fd13100e2c9a91946"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
-- 
2.47.3