curl: patch CVE-2025-15079

Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-15079.html (From OE-Core rev: 48a162d90daada0f992e665696f7f2e738780af1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2026-01-10 18:36:26 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-01-26 09:45:39 +0000
commit: 41c8c7c5c5e5483494c23019337491f28a88f88f (patch)
tree: 51db3585f9ead667841b922b7ca65a813aa25b10 /meta/recipes-support
parent: ea774774ef9c06cf4a4e89cfd684e72e2c6725e3 (diff)
download: poky-41c8c7c5c5e5483494c23019337491f28a88f88f.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2025-15079.patch b/meta/recipes-support/curl/curl/CVE-2025-15079.patch
new file mode 100644
index 0000000000..47fa518309
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-15079.patch
@@ -0,0 +1,32 @@
+From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 24 Dec 2025 17:47:03 +0100
+Subject: [PATCH] libssh: set both knownhosts options to the same file
+Reported-by: Harry Sintonen
+Closes #20092
+CVE: CVE-2025-15079
+Upstream-Status: Backport [https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vssh/libssh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 7d5905c83d..98c109ab59 100644
+--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
+@@ -2224,6 +2224,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done)
+     infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]);
+     rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_KNOWNHOSTS,
+                          data->set.str[STRING_SSH_KNOWNHOSTS]);
+    if(rc == SSH_OK)
+      /* libssh has two separate options for this. Set both to the same file
+         to avoid surprises */
+      rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
+                           data->set.str[STRING_SSH_KNOWNHOSTS]);
+     if(rc != SSH_OK) {
+       failf(data, "Could not set known hosts file path");
+       return CURLE_FAILED_INIT;
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 3134846e57..85b91ef958 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -28,6 +28,7 @@ SRC_URI = " \
    file://CVE-2025-14017.patch \
    file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
    file://CVE-2025-14819.patch \
+    file://CVE-2025-15079.patch \
 "
 SRC_URI:append:class-nativesdk = " \
author	Peter Marko <peter.marko@siemens.com>	2026-01-10 18:36:26 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-01-26 09:45:39 +0000
commit	41c8c7c5c5e5483494c23019337491f28a88f88f (patch)
tree	51db3585f9ead667841b922b7ca65a813aa25b10 /meta/recipes-support
parent	ea774774ef9c06cf4a4e89cfd684e72e2c6725e3 (diff)
download	poky-41c8c7c5c5e5483494c23019337491f28a88f88f.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2025-15079.patch b/meta/recipes-support/curl/curl/CVE-2025-15079.patch new file mode 100644 index 0000000000..47fa518309 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-15079.patch
@@ -0,0 +1,32 @@
		1	From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Wed, 24 Dec 2025 17:47:03 +0100
		4	Subject: [PATCH] libssh: set both knownhosts options to the same file
		5
		6	Reported-by: Harry Sintonen
		7
		8	Closes #20092
		9
		10	CVE: CVE-2025-15079
		11	Upstream-Status: Backport [https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479]
		12	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		13	---
		14	lib/vssh/libssh.c \| 5 +++++
		15	1 file changed, 5 insertions(+)
		16
		17	diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
		18	index 7d5905c83d..98c109ab59 100644
		19	--- a/lib/vssh/libssh.c
		20	+++ b/lib/vssh/libssh.c
		21	@@ -2224,6 +2224,11 @@ static CURLcode myssh_connect(struct Curl_easy data, bool done)
		22	infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]);
		23	rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_KNOWNHOSTS,
		24	data->set.str[STRING_SSH_KNOWNHOSTS]);
		25	+ if(rc == SSH_OK)
		26	+ /* libssh has two separate options for this. Set both to the same file
		27	+ to avoid surprises */
		28	+ rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
		29	+ data->set.str[STRING_SSH_KNOWNHOSTS]);
		30	if(rc != SSH_OK) {
		31	failf(data, "Could not set known hosts file path");
		32	return CURLE_FAILED_INIT;


diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 3134846e57..85b91ef958 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -28,6 +28,7 @@ SRC_URI = " \
28	file://CVE-2025-14017.patch \	28	file://CVE-2025-14017.patch \
29	file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \	29	file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
30	file://CVE-2025-14819.patch \	30	file://CVE-2025-14819.patch \
		31	file://CVE-2025-15079.patch \
31	"	32	"
32		33
33	SRC_URI:append:class-nativesdk = " \	34	SRC_URI:append:class-nativesdk = " \