diff options
| author | Yogita Urade <yogita.urade@windriver.com> | 2025-09-24 15:26:40 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-10-03 09:51:17 -0700 |
| commit | 9c9c70625270baeb44b75d4f12b266758eb9cd38 (patch) | |
| tree | f810e7be61715f5fa367d939df09bd8ed4881fc0 /documentation/set_versions.py | |
| parent | d2a96dd89c0f0c5da62974439d74b7b351c0dbaf (diff) | |
| download | poky-9c9c70625270baeb44b75d4f12b266758eb9cd38.tar.gz | |
curl: fix CVE-2025-9086
1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086
Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6
(From OE-Core rev: dc842a631b178acd9c4f00c4a3b87831baf08ebb)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'documentation/set_versions.py')
0 files changed, 0 insertions, 0 deletions