curl: fix CVE-2025-0167

When asked to use a `.netrc` file for credentials *and* to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-0167 Upstream patch: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e (From OE-Core rev: b74dba43f2d6896245232373f2a9fdf07086a237) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-04-22 11:48:15 +0000
committer: Steve Sakoman <steve@sakoman.com> 2025-04-28 08:18:53 -0700
commit: 26b25ba6733c803a5331c48aebb267314fdab6c6 (patch)
tree: 9ef2d2e6b251cf431cbbafa7385a70616a4973cc
parent: 2e67952192f95cd7465c5c795e5d420aba8c9827 (diff)
download: poky-26b25ba6733c803a5331c48aebb267314fdab6c6.tar.gz
2 files changed, 179 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2025-0167.patch b/meta/recipes-support/curl/curl/CVE-2025-0167.patch
new file mode 100644
index 0000000000..6dad98ef7a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-0167.patch
@@ -0,0 +1,178 @@
+From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 3 Jan 2025 16:22:27 +0100
+Subject: [PATCH] netrc: 'default' with no credentials is not a match
+Test 486 verifies.
+Reported-by: Yihang Zhou
+Closes #15908
+Changes:
+- Test files are added in Makefile.inc.
+- Adjust `%LOGDIR/` to 'log/' due to its absence in code.
+CVE: CVE-2025-0167
+Upstream-Status: Backport [https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/netrc.c             |  15 ++++--
+ tests/data/Makefile.inc |   2 +-
+ tests/data/test486      | 105 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 116 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test486
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 64efdc0..5533ecc 100644
+--- a/lib/netrc.c
+++ b/lib/netrc.c
+@@ -263,11 +263,16 @@ static int parsenetrc(const char *host,
+ out:
+     Curl_dyn_free(&buf);
+-    if(!retcode && !password && our_login) {
+-      /* success without a password, set a blank one */
+-      password = strdup("");
+-      if(!password)
+-        retcode = 1; /* out of memory */
+    if(!retcode) {
+     if(!password && our_login) {
+       /* success without a password, set a blank one */
+       password = strdup("");
+       if(!password)
+         retcode = 1; /* out of memory */
+     }
+     else if(!login && !password)
+       /* a default with no credentials */
+       retcode = NETRC_FILE_MISSING;
+     }
+     if(!retcode) {
+       /* success */
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index e3508cb..7a8074f 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -73,7 +73,7 @@ test426 test427 test428 test429 test430 test431 test432 test433 test434 \
+ test435 test436 test437 test438 test439 test440 test441 test442 test443 \
+ test444 test445 test446 test447 test448 test449 test450 test451 test452 \
+ test453 test454 test455 test456 test457 test458 test459 test460 test461 \
+-test462 test463 test467 test468 test478 test479 test480 \
+test462 test463 test467 test468 test478 test479 test480 test486 \
+ \
+ test490 test491 test492 test493 test494 test495 test496 test497 test498 \
+ test499 test500 test501 test502 test503 test504 test505 test506 test507 \
+diff --git a/tests/data/test486 b/tests/data/test486
+new file mode 100644
+index 0000000..093899e
+--- /dev/null
+++ b/tests/data/test486
+@@ -0,0 +1,105 @@
+<testcase>
+ <info>
+ <keywords>
+ netrc
+ HTTP
+ </keywords>
+ </info>
+ #
+ # Server-side
+ <reply>
+ <data crlf="yes">
+ HTTP/1.1 301 Follow this you fool
+ Date: Tue, 09 Nov 2010 14:49:00 GMT
+ Server: test-server/fake
+ Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ ETag: "21025-dc7-39462498"
+ Accept-Ranges: bytes
+ Content-Length: 6
+ Connection: close
+ Location: http://b.com/%TESTNUMBER0002
+
+ -foo-
+ </data>
+
+ <data2 crlf="yes">
+ HTTP/1.1 200 OK
+ Date: Tue, 09 Nov 2010 14:49:00 GMT
+ Server: test-server/fake
+ Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ ETag: "21025-dc7-39462498"
+ Accept-Ranges: bytes
+ Content-Length: 7
+ Connection: close
+
+ target
+ </data2>
+
+ <datacheck crlf="yes">
+ HTTP/1.1 301 Follow this you fool
+ Date: Tue, 09 Nov 2010 14:49:00 GMT
+ Server: test-server/fake
+ Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ ETag: "21025-dc7-39462498"
+ Accept-Ranges: bytes
+ Content-Length: 6
+ Connection: close
+ Location: http://b.com/%TESTNUMBER0002
+
+ HTTP/1.1 200 OK
+ Date: Tue, 09 Nov 2010 14:49:00 GMT
+ Server: test-server/fake
+ Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ ETag: "21025-dc7-39462498"
+ Accept-Ranges: bytes
+ Content-Length: 7
+ Connection: close
+
+ target
+ </datacheck>
+ </reply>
+
+ #
+ # Client-side
+ <client>
+ <server>
+ http
+ </server>
+ <features>
+ proxy
+ </features>
+ <name>
+ .netrc with redirect and "default" with no password or login
+ </name>
+ <command>
+ --netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
+ </command>
+ <file name="log/netrc%TESTNUMBER" >
+
+ machine a.com
+   login alice
+   password alicespassword
+
+ default
+
+ </file>
+ </client>
+
+ <verify>
+ <protocol>
+ GET http://a.com/ HTTP/1.1
+ Host: a.com
+ Authorization: Basic %b64[alice:alicespassword]b64%
+ User-Agent: curl/%VERSION
+ Accept: */*
+ Proxy-Connection: Keep-Alive
+
+ GET http://b.com/%TESTNUMBER0002 HTTP/1.1
+ Host: b.com
+ User-Agent: curl/%VERSION
+ Accept: */*
+ Proxy-Connection: Keep-Alive
+
+ </protocol>
+ </verify>
+ </testcase>
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 6d6563591c..8ce8caadf0 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -23,6 +23,7 @@ SRC_URI = " \
    file://CVE-2024-11053-0001.patch \
    file://CVE-2024-11053-0002.patch \
    file://CVE-2024-11053-0003.patch \
+    file://CVE-2025-0167.patch \
 "
 SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"
author	Yogita Urade <yogita.urade@windriver.com>	2025-04-22 11:48:15 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-04-28 08:18:53 -0700
commit	26b25ba6733c803a5331c48aebb267314fdab6c6 (patch)
tree	9ef2d2e6b251cf431cbbafa7385a70616a4973cc
parent	2e67952192f95cd7465c5c795e5d420aba8c9827 (diff)
download	poky-26b25ba6733c803a5331c48aebb267314fdab6c6.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2025-0167.patch b/meta/recipes-support/curl/curl/CVE-2025-0167.patch new file mode 100644 index 0000000000..6dad98ef7a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-0167.patch
@@ -0,0 +1,178 @@
		1	From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Fri, 3 Jan 2025 16:22:27 +0100
		4	Subject: [PATCH] netrc: 'default' with no credentials is not a match
		5
		6	Test 486 verifies.
		7
		8	Reported-by: Yihang Zhou
		9
		10	Closes #15908
		11
		12	Changes:
		13	- Test files are added in Makefile.inc.
		14	- Adjust `%LOGDIR/` to 'log/' due to its absence in code.
		15
		16	CVE: CVE-2025-0167
		17	Upstream-Status: Backport [https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e]
		18
		19	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		20	---
		21	lib/netrc.c \| 15 ++++--
		22	tests/data/Makefile.inc \| 2 +-
		23	tests/data/test486 \| 105 ++++++++++++++++++++++++++++++++++++++++
		24	3 files changed, 116 insertions(+), 6 deletions(-)
		25	create mode 100644 tests/data/test486
		26
		27	diff --git a/lib/netrc.c b/lib/netrc.c
		28	index 64efdc0..5533ecc 100644
		29	--- a/lib/netrc.c
		30	+++ b/lib/netrc.c
		31	@@ -263,11 +263,16 @@ static int parsenetrc(const char *host,
		32
		33	out:
		34	Curl_dyn_free(&buf);
		35	- if(!retcode && !password && our_login) {
		36	- /* success without a password, set a blank one */
		37	- password = strdup("");
		38	- if(!password)
		39	- retcode = 1; /* out of memory */
		40	+ if(!retcode) {
		41	+ if(!password && our_login) {
		42	+ /* success without a password, set a blank one */
		43	+ password = strdup("");
		44	+ if(!password)
		45	+ retcode = 1; /* out of memory */
		46	+ }
		47	+ else if(!login && !password)
		48	+ /* a default with no credentials */
		49	+ retcode = NETRC_FILE_MISSING;
		50	}
		51	if(!retcode) {
		52	/* success */
		53	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
		54	index e3508cb..7a8074f 100644
		55	--- a/tests/data/Makefile.inc
		56	+++ b/tests/data/Makefile.inc
		57	@@ -73,7 +73,7 @@ test426 test427 test428 test429 test430 test431 test432 test433 test434 \
		58	test435 test436 test437 test438 test439 test440 test441 test442 test443 \
		59	test444 test445 test446 test447 test448 test449 test450 test451 test452 \
		60	test453 test454 test455 test456 test457 test458 test459 test460 test461 \
		61	-test462 test463 test467 test468 test478 test479 test480 \
		62	+test462 test463 test467 test468 test478 test479 test480 test486 \
		63	\
		64	test490 test491 test492 test493 test494 test495 test496 test497 test498 \
		65	test499 test500 test501 test502 test503 test504 test505 test506 test507 \
		66	diff --git a/tests/data/test486 b/tests/data/test486
		67	new file mode 100644
		68	index 0000000..093899e
		69	--- /dev/null
		70	+++ b/tests/data/test486
		71	@@ -0,0 +1,105 @@
		72	+<testcase>
		73	+ <info>
		74	+ <keywords>
		75	+ netrc
		76	+ HTTP
		77	+ </keywords>
		78	+ </info>
		79	+ #
		80	+ # Server-side
		81	+ <reply>
		82	+ <data crlf="yes">
		83	+ HTTP/1.1 301 Follow this you fool
		84	+ Date: Tue, 09 Nov 2010 14:49:00 GMT
		85	+ Server: test-server/fake
		86	+ Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
		87	+ ETag: "21025-dc7-39462498"
		88	+ Accept-Ranges: bytes
		89	+ Content-Length: 6
		90	+ Connection: close
		91	+ Location: http://b.com/%TESTNUMBER0002
		92	+
		93	+ -foo-
		94	+ </data>
		95	+
		96	+ <data2 crlf="yes">
		97	+ HTTP/1.1 200 OK
		98	+ Date: Tue, 09 Nov 2010 14:49:00 GMT
		99	+ Server: test-server/fake
		100	+ Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
		101	+ ETag: "21025-dc7-39462498"
		102	+ Accept-Ranges: bytes
		103	+ Content-Length: 7
		104	+ Connection: close
		105	+
		106	+ target
		107	+ </data2>
		108	+
		109	+ <datacheck crlf="yes">
		110	+ HTTP/1.1 301 Follow this you fool
		111	+ Date: Tue, 09 Nov 2010 14:49:00 GMT
		112	+ Server: test-server/fake
		113	+ Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
		114	+ ETag: "21025-dc7-39462498"
		115	+ Accept-Ranges: bytes
		116	+ Content-Length: 6
		117	+ Connection: close
		118	+ Location: http://b.com/%TESTNUMBER0002
		119	+
		120	+ HTTP/1.1 200 OK
		121	+ Date: Tue, 09 Nov 2010 14:49:00 GMT
		122	+ Server: test-server/fake
		123	+ Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
		124	+ ETag: "21025-dc7-39462498"
		125	+ Accept-Ranges: bytes
		126	+ Content-Length: 7
		127	+ Connection: close
		128	+
		129	+ target
		130	+ </datacheck>
		131	+ </reply>
		132	+
		133	+ #
		134	+ # Client-side
		135	+ <client>
		136	+ <server>
		137	+ http
		138	+ </server>
		139	+ <features>
		140	+ proxy
		141	+ </features>
		142	+ <name>
		143	+ .netrc with redirect and "default" with no password or login
		144	+ </name>
		145	+ <command>
		146	+ --netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
		147	+ </command>
		148	+ <file name="log/netrc%TESTNUMBER" >
		149	+
		150	+ machine a.com
		151	+ login alice
		152	+ password alicespassword
		153	+
		154	+ default
		155	+
		156	+ </file>
		157	+ </client>
		158	+
		159	+ <verify>
		160	+ <protocol>
		161	+ GET http://a.com/ HTTP/1.1
		162	+ Host: a.com
		163	+ Authorization: Basic %b64[alice:alicespassword]b64%
		164	+ User-Agent: curl/%VERSION
		165	+ Accept: /
		166	+ Proxy-Connection: Keep-Alive
		167	+
		168	+ GET http://b.com/%TESTNUMBER0002 HTTP/1.1
		169	+ Host: b.com
		170	+ User-Agent: curl/%VERSION
		171	+ Accept: /
		172	+ Proxy-Connection: Keep-Alive
		173	+
		174	+ </protocol>
		175	+ </verify>
		176	+ </testcase>
		177	--
		178	2.40.0


diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 6d6563591c..8ce8caadf0 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -23,6 +23,7 @@ SRC_URI = " \
23	file://CVE-2024-11053-0001.patch \	23	file://CVE-2024-11053-0001.patch \
24	file://CVE-2024-11053-0002.patch \	24	file://CVE-2024-11053-0002.patch \
25	file://CVE-2024-11053-0003.patch \	25	file://CVE-2024-11053-0003.patch \
		26	file://CVE-2025-0167.patch \
26	"	27	"
27	SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"	28	SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"
28		29