diff options
| author | Yogita Urade <yogita.urade@windriver.com> | 2025-09-24 13:58:45 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-09-30 08:01:59 -0700 |
| commit | 4543508143de86eef4777263e324374442ea61d5 (patch) | |
| tree | 78fdc3a6bd85ed8948dff1ab278fce205c85b580 /meta/lib/patchtest | |
| parent | 829e065196b6882aeabaf062fe5eaa49d74413d4 (diff) | |
| download | poky-4543508143de86eef4777263e324374442ea61d5.tar.gz | |
curl: fix CVE-2025-9086
1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086
Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6
(From OE-Core rev: b0cc7001a628deaa96d1aebb5ded52797898a0be)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/lib/patchtest')
0 files changed, 0 insertions, 0 deletions