curl: fix CVE-2025-0167

When asked to use a `.netrc` file for credentials *and* to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-0167 Upstream patch: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb (From OE-Core rev: 7c5aee3066e4c8056d994cd50b26c18a16316c96) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-07-08 14:27:29 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-07-14 08:37:40 -0700
commit: 022d6ec767487a52fc479e25ebad11012df01474 (patch)
tree: 56bbed17d31fd653077c779e1e73a360b13395d2
parent: 580a1571c4bc7341bd19b067b9e5a8bc4194b627 (diff)
download: poky-022d6ec767487a52fc479e25ebad11012df01474.tar.gz
2 files changed, 176 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2025-0167.patch b/meta/recipes-support/curl/curl/CVE-2025-0167.patch
new file mode 100644
index 0000000000..b803cff0d2
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-0167.patch
@@ -0,0 +1,175 @@
+From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 3 Jan 2025 16:22:27 +0100
+Subject: [PATCH] netrc: 'default' with no credentials is not a match
+Test 486 verifies.
+Reported-by: Yihang Zhou
+Closes #15908
+Changes:
+- Test files are added in Makefile.inc.
+- Adjust `%LOGDIR/` to 'log/' due to its absence in code.
+CVE: CVE-2025-0167
+Upstream-Status: Backport [https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/netrc.c            |   7 ++-
+ tests/data/Makefile.in |   2 +
+ tests/data/test486     | 105 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 113 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test486
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 23080b3..6d87007 100644
+--- a/lib/netrc.c
+++ b/lib/netrc.c
+@@ -205,12 +205,17 @@ static int parsenetrc(const char *host,
+     } /* while fgets() */
+     out:
+-    if(!retcode && !password && our_login) {
+  if(!retcode) {
+    if(!password && our_login) {
+       /* success without a password, set a blank one */
+       password = strdup("");
+       if(!password)
+         retcode = 1; /* out of memory */
+     }
+    else if(!login && !password)
+      /* a default with no credentials */
+      retcode = NETRC_FILE_MISSING;
+    }
+     if(!retcode) {
+       /* success */
+       *login_changed = FALSE;
+diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in
+index 3da7d31..5a3ec48 100644
+--- a/tests/data/Makefile.in
+++ b/tests/data/Makefile.in
+@@ -431,6 +431,8 @@ test409 test410 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+test486 \
+\
+ test490 test491 test492 test493 test494 \
+ \
+ test500 test501 test502 test503 test504 test505 test506 test507 test508 \
+diff --git a/tests/data/test486 b/tests/data/test486
+new file mode 100644
+index 0000000..6926092
+--- /dev/null
+++ b/tests/data/test486
+@@ -0,0 +1,105 @@
+<testcase>
+<info>
+<keywords>
+netrc
+HTTP
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<data crlf="yes">
+HTTP/1.1 301 Follow this you fool
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Location: http://b.com/%TESTNUMBER0002
+
+-foo-
+</data>
+
+<data2 crlf="yes">
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 7
+Connection: close
+
+target
+</data2>
+
+<datacheck crlf="yes">
+HTTP/1.1 301 Follow this you fool
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Location: http://b.com/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 7
+Connection: close
+
+target
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<features>
+proxy
+</features>
+<name>
+.netrc with redirect and "default" with no password or login
+</name>
+<command>
+--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
+</command>
+<file name="log/netrc%TESTNUMBER" >
+
+machine a.com
+  login alice
+  password alicespassword
+
+default
+
+</file>
+</client>
+
+<verify>
+<protocol>
+GET http://a.com/ HTTP/1.1
+Host: a.com
+Authorization: Basic %b64[alice:alicespassword]b64%
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://b.com/%TESTNUMBER0002 HTTP/1.1
+Host: b.com
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index f40139418a..623d8a4bc3 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -65,6 +65,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2024-9681.patch \
           file://CVE-2024-11053-0001.patch \
           file://CVE-2024-11053-0002.patch \
+           file://CVE-2025-0167.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Yogita Urade <yogita.urade@windriver.com>	2025-07-08 14:27:29 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-14 08:37:40 -0700
commit	022d6ec767487a52fc479e25ebad11012df01474 (patch)
tree	56bbed17d31fd653077c779e1e73a360b13395d2
parent	580a1571c4bc7341bd19b067b9e5a8bc4194b627 (diff)
download	poky-022d6ec767487a52fc479e25ebad11012df01474.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2025-0167.patch b/meta/recipes-support/curl/curl/CVE-2025-0167.patch new file mode 100644 index 0000000000..b803cff0d2 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-0167.patch
@@ -0,0 +1,175 @@
		1	From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Fri, 3 Jan 2025 16:22:27 +0100
		4	Subject: [PATCH] netrc: 'default' with no credentials is not a match
		5
		6	Test 486 verifies.
		7
		8	Reported-by: Yihang Zhou
		9
		10	Closes #15908
		11
		12	Changes:
		13	- Test files are added in Makefile.inc.
		14	- Adjust `%LOGDIR/` to 'log/' due to its absence in code.
		15
		16	CVE: CVE-2025-0167
		17	Upstream-Status: Backport [https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb]
		18
		19	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		20	---
		21	lib/netrc.c \| 7 ++-
		22	tests/data/Makefile.in \| 2 +
		23	tests/data/test486 \| 105 +++++++++++++++++++++++++++++++++++++++++
		24	3 files changed, 113 insertions(+), 1 deletion(-)
		25	create mode 100644 tests/data/test486
		26
		27	diff --git a/lib/netrc.c b/lib/netrc.c
		28	index 23080b3..6d87007 100644
		29	--- a/lib/netrc.c
		30	+++ b/lib/netrc.c
		31	@@ -205,12 +205,17 @@ static int parsenetrc(const char *host,
		32	} /* while fgets() */
		33
		34	out:
		35	- if(!retcode && !password && our_login) {
		36	+ if(!retcode) {
		37	+ if(!password && our_login) {
		38	/* success without a password, set a blank one */
		39	password = strdup("");
		40	if(!password)
		41	retcode = 1; /* out of memory */
		42	}
		43	+ else if(!login && !password)
		44	+ /* a default with no credentials */
		45	+ retcode = NETRC_FILE_MISSING;
		46	+ }
		47	if(!retcode) {
		48	/* success */
		49	*login_changed = FALSE;
		50	diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in
		51	index 3da7d31..5a3ec48 100644
		52	--- a/tests/data/Makefile.in
		53	+++ b/tests/data/Makefile.in
		54	@@ -431,6 +431,8 @@ test409 test410 \
		55	\
		56	test430 test431 test432 test433 test434 test435 test436 \
		57	\
		58	+test486 \
		59	+\
		60	test490 test491 test492 test493 test494 \
		61	\
		62	test500 test501 test502 test503 test504 test505 test506 test507 test508 \
		63	diff --git a/tests/data/test486 b/tests/data/test486
		64	new file mode 100644
		65	index 0000000..6926092
		66	--- /dev/null
		67	+++ b/tests/data/test486
		68	@@ -0,0 +1,105 @@
		69	+<testcase>
		70	+<info>
		71	+<keywords>
		72	+netrc
		73	+HTTP
		74	+</keywords>
		75	+</info>
		76	+#
		77	+# Server-side
		78	+<reply>
		79	+<data crlf="yes">
		80	+HTTP/1.1 301 Follow this you fool
		81	+Date: Tue, 09 Nov 2010 14:49:00 GMT
		82	+Server: test-server/fake
		83	+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
		84	+ETag: "21025-dc7-39462498"
		85	+Accept-Ranges: bytes
		86	+Content-Length: 6
		87	+Connection: close
		88	+Location: http://b.com/%TESTNUMBER0002
		89	+
		90	+-foo-
		91	+</data>
		92	+
		93	+<data2 crlf="yes">
		94	+HTTP/1.1 200 OK
		95	+Date: Tue, 09 Nov 2010 14:49:00 GMT
		96	+Server: test-server/fake
		97	+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
		98	+ETag: "21025-dc7-39462498"
		99	+Accept-Ranges: bytes
		100	+Content-Length: 7
		101	+Connection: close
		102	+
		103	+target
		104	+</data2>
		105	+
		106	+<datacheck crlf="yes">
		107	+HTTP/1.1 301 Follow this you fool
		108	+Date: Tue, 09 Nov 2010 14:49:00 GMT
		109	+Server: test-server/fake
		110	+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
		111	+ETag: "21025-dc7-39462498"
		112	+Accept-Ranges: bytes
		113	+Content-Length: 6
		114	+Connection: close
		115	+Location: http://b.com/%TESTNUMBER0002
		116	+
		117	+HTTP/1.1 200 OK
		118	+Date: Tue, 09 Nov 2010 14:49:00 GMT
		119	+Server: test-server/fake
		120	+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
		121	+ETag: "21025-dc7-39462498"
		122	+Accept-Ranges: bytes
		123	+Content-Length: 7
		124	+Connection: close
		125	+
		126	+target
		127	+</datacheck>
		128	+</reply>
		129	+
		130	+#
		131	+# Client-side
		132	+<client>
		133	+<server>
		134	+http
		135	+</server>
		136	+<features>
		137	+proxy
		138	+</features>
		139	+<name>
		140	+.netrc with redirect and "default" with no password or login
		141	+</name>
		142	+<command>
		143	+--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
		144	+</command>
		145	+<file name="log/netrc%TESTNUMBER" >
		146	+
		147	+machine a.com
		148	+ login alice
		149	+ password alicespassword
		150	+
		151	+default
		152	+
		153	+</file>
		154	+</client>
		155	+
		156	+<verify>
		157	+<protocol>
		158	+GET http://a.com/ HTTP/1.1
		159	+Host: a.com
		160	+Authorization: Basic %b64[alice:alicespassword]b64%
		161	+User-Agent: curl/%VERSION
		162	+Accept: /
		163	+Proxy-Connection: Keep-Alive
		164	+
		165	+GET http://b.com/%TESTNUMBER0002 HTTP/1.1
		166	+Host: b.com
		167	+User-Agent: curl/%VERSION
		168	+Accept: /
		169	+Proxy-Connection: Keep-Alive
		170	+
		171	+</protocol>
		172	+</verify>
		173	+</testcase>
		174	--
		175	2.40.0


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index f40139418a..623d8a4bc3 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -65,6 +65,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
65	file://CVE-2024-9681.patch \	65	file://CVE-2024-9681.patch \
66	file://CVE-2024-11053-0001.patch \	66	file://CVE-2024-11053-0001.patch \
67	file://CVE-2024-11053-0002.patch \	67	file://CVE-2024-11053-0002.patch \
		68	file://CVE-2025-0167.patch \
68	"	69	"
69	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	70	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
70		71