curl: fix CVE-2025-10148

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-10148 Upstream patch: https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa (From OE-Core rev: 3793ee12d8da4f8f90a0ffcad180ef8122251491) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2026-01-07 10:22:40 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-16 09:52:34 +0000
commit: 68f03e2a9fa8b63053adbce0f24912f3b5a0268f (patch)
tree: 7f3421836baef5128f638d42697d755a257ac5df /meta/recipes-support
parent: be8cc4137c8ca9be65ac77217a890674126675eb (diff)
download: poky-68f03e2a9fa8b63053adbce0f24912f3b5a0268f.tar.gz
2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2025-10148.patch b/meta/recipes-support/curl/curl/CVE-2025-10148.patch
new file mode 100644
index 0000000000..d37497febe
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-10148.patch
@@ -0,0 +1,57 @@
+From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 8 Sep 2025 14:14:15 +0200
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+Reported-by: Calvin Ruocco
+Closes #18496
+CVE: CVE-2025-10148
+Upstream-Status: Backport [https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/ws.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+diff --git a/lib/ws.c b/lib/ws.c
+index 5bc5ecc..02e0ef0 100644
+--- a/lib/ws.c
+++ b/lib/ws.c
+@@ -614,6 +614,18 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+ 
+    /* 4 bytes random */
+
+  result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
+  if(result)
+    return result;
+
+#ifdef DEBUGBUILD
+  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
+    /* force the bit mask to 0x00000000, effectively disabling masking */
+    memset(&enc->mask, 0, sizeof(enc->mask));
+#endif
+
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -802,14 +814,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+ 
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-  infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
+  infof(data, "Received 101, switch to WebSocket");
+ 
+   /* Install our client writer that decodes WS frames payload */
+   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+-- 
+2.50.1
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index ecda13a04e..0d7aea0978 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
    file://CVE-2024-11053-0003.patch \
    file://CVE-2025-0167.patch \
    file://CVE-2025-9086.patch \
+    file://CVE-2025-10148.patch \
    file://CVE-2025-14017.patch \
    file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
    file://CVE-2025-14819.patch \
author	Hitendra Prajapati <hprajapati@mvista.com>	2026-01-07 10:22:40 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-02-16 09:52:34 +0000
commit	68f03e2a9fa8b63053adbce0f24912f3b5a0268f (patch)
tree	7f3421836baef5128f638d42697d755a257ac5df /meta/recipes-support
parent	be8cc4137c8ca9be65ac77217a890674126675eb (diff)
download	poky-68f03e2a9fa8b63053adbce0f24912f3b5a0268f.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2025-10148.patch b/meta/recipes-support/curl/curl/CVE-2025-10148.patch new file mode 100644 index 0000000000..d37497febe --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-10148.patch
@@ -0,0 +1,57 @@
		1	From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 8 Sep 2025 14:14:15 +0200
		4	Subject: [PATCH] ws: get a new mask for each new outgoing frame
		5
		6	Reported-by: Calvin Ruocco
		7	Closes #18496
		8
		9	CVE: CVE-2025-10148
		10	Upstream-Status: Backport [https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa]
		11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		12	---
		13	lib/ws.c \| 21 +++++++++++++--------
		14	1 file changed, 13 insertions(+), 8 deletions(-)
		15
		16	diff --git a/lib/ws.c b/lib/ws.c
		17	index 5bc5ecc..02e0ef0 100644
		18	--- a/lib/ws.c
		19	+++ b/lib/ws.c
		20	@@ -614,6 +614,18 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
		21	enc->payload_remain = enc->payload_len = payload_len;
		22	ws_enc_info(enc, data, "sending");
		23
		24	+ /* 4 bytes random */
		25	+
		26	+ result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
		27	+ if(result)
		28	+ return result;
		29	+
		30	+#ifdef DEBUGBUILD
		31	+ if(getenv("CURL_WS_FORCE_ZERO_MASK"))
		32	+ /* force the bit mask to 0x00000000, effectively disabling masking */
		33	+ memset(&enc->mask, 0, sizeof(enc->mask));
		34	+#endif
		35	+
		36	/* add 4 bytes mask */
		37	memcpy(&head[hlen], &enc->mask, 4);
		38	hlen += 4;
		39	@@ -802,14 +814,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
		40	subprotocol not requested by the client), the client MUST Fail
		41	the WebSocket Connection. */
		42
		43	- /* 4 bytes random */
		44	-
		45	- result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
		46	- sizeof(ws->enc.mask));
		47	- if(result)
		48	- return result;
		49	- infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
		50	- ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
		51	+ infof(data, "Received 101, switch to WebSocket");
		52
		53	/* Install our client writer that decodes WS frames payload */
		54	result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
		55	--
		56	2.50.1
		57


diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index ecda13a04e..0d7aea0978 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
25	file://CVE-2024-11053-0003.patch \	25	file://CVE-2024-11053-0003.patch \
26	file://CVE-2025-0167.patch \	26	file://CVE-2025-0167.patch \
27	file://CVE-2025-9086.patch \	27	file://CVE-2025-9086.patch \
		28	file://CVE-2025-10148.patch \
28	file://CVE-2025-14017.patch \	29	file://CVE-2025-14017.patch \
29	file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \	30	file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
30	file://CVE-2025-14819.patch \	31	file://CVE-2025-14819.patch \