2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2025-9086.patch b/meta/recipes-support/curl/curl/CVE-2025-9086.patch
new file mode 100644
index 0000000000..8ee7cd5192
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-9086.patch
@@ -0,0 +1,55 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+Reported-by: Google Big Sleep
+Closes #18266
+CVE: CVE-2025-9086
+Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/cookie.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+diff --git a/lib/cookie.c b/lib/cookie.c
+index e287458..ac7d3de 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -312,7 +312,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
+  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+@@ -1078,7 +1078,7 @@ Curl_cookie_add(struct Curl_easy *data,
+         if(clist->spath && co->spath) {
+           if(clist->secure && !co->secure && !secure) {
+             size_t cllen;
+-            const char *sep;
+            const char *sep = NULL;
+             /*
+              * A non-secure cookie may not overlay an existing secure cookie.
+@@ -1087,8 +1087,9 @@ Curl_cookie_add(struct Curl_easy *data,
+              * "/loginhelper" is ok.
+              */
+-            sep = strchr(clist->spath + 1, '/');
+-
+            DEBUGASSERT(clist->spath[0]);
+            if(clist->spath[0])
+              sep = strchr(clist->spath + 1, '/');
+             if(sep)
+               cllen = sep - clist->spath;
+             else
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 623d8a4bc3..54362e6978 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -66,6 +66,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2024-11053-0001.patch \
           file://CVE-2024-11053-0002.patch \
           file://CVE-2025-0167.patch \
+           file://CVE-2025-9086.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"

diff --git a/meta/recipes-support/curl/curl/CVE-2025-9086.patch b/meta/recipes-support/curl/curl/CVE-2025-9086.patch new file mode 100644 index 0000000000..8ee7cd5192 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-9086.patch
@@ -0,0 +1,55 @@
		1	From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 11 Aug 2025 20:23:05 +0200
		4	Subject: [PATCH] cookie: don't treat the leading slash as trailing
		5
		6	If there is only a leading slash in the path, keep that. Also add an
		7	assert to make sure the path is never blank.
		8
		9	Reported-by: Google Big Sleep
		10	Closes #18266
		11
		12	CVE: CVE-2025-9086
		13	Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6]
		14
		15	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		16	---
		17	lib/cookie.c \| 9 +++++----
		18	1 file changed, 5 insertions(+), 4 deletions(-)
		19
		20	diff --git a/lib/cookie.c b/lib/cookie.c
		21	index e287458..ac7d3de 100644
		22	--- a/lib/cookie.c
		23	+++ b/lib/cookie.c
		24	@@ -312,7 +312,7 @@ static char sanitize_cookie_path(const char cookie_path)
		25	}
		26
		27	/* convert /hoge/ to /hoge */
		28	- if(len && new_path[len - 1] == '/') {
		29	+ if(len > 1 && new_path[len - 1] == '/') {
		30	new_path[len - 1] = 0x0;
		31	}
		32
		33	@@ -1078,7 +1078,7 @@ Curl_cookie_add(struct Curl_easy *data,
		34	if(clist->spath && co->spath) {
		35	if(clist->secure && !co->secure && !secure) {
		36	size_t cllen;
		37	- const char *sep;
		38	+ const char *sep = NULL;
		39
		40	/*
		41	* A non-secure cookie may not overlay an existing secure cookie.
		42	@@ -1087,8 +1087,9 @@ Curl_cookie_add(struct Curl_easy *data,
		43	* "/loginhelper" is ok.
		44	*/
		45
		46	- sep = strchr(clist->spath + 1, '/');
		47	-
		48	+ DEBUGASSERT(clist->spath[0]);
		49	+ if(clist->spath[0])
		50	+ sep = strchr(clist->spath + 1, '/');
		51	if(sep)
		52	cllen = sep - clist->spath;
		53	else
		54	--
		55	2.40.0


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 623d8a4bc3..54362e6978 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -66,6 +66,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
66	file://CVE-2024-11053-0001.patch \	66	file://CVE-2024-11053-0001.patch \
67	file://CVE-2024-11053-0002.patch \	67	file://CVE-2024-11053-0002.patch \
68	file://CVE-2025-0167.patch \	68	file://CVE-2025-0167.patch \
		69	file://CVE-2025-9086.patch \
69	"	70	"
70	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	71	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
71		72