diff options
| author | Yogita Urade <yogita.urade@windriver.com> | 2025-09-24 13:56:55 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-09-25 12:25:51 -0700 |
| commit | 96c7bfd6793bf4282337e101abc10bcb8be38436 (patch) | |
| tree | 3696d6dba622ddab1dc78386ff3e0cfa2a582dfa /scripts/tiny/ksum.py | |
| parent | cb23f1e13634a0518c74c10b04c69bed1f799f8a (diff) | |
| download | poky-96c7bfd6793bf4282337e101abc10bcb8be38436.tar.gz | |
curl: fix CVE-2025-9086
1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086
Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6
(From OE-Core rev: 95ab3c3e3745e7e0ca74760683e42ae7531b4199)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'scripts/tiny/ksum.py')
0 files changed, 0 insertions, 0 deletions