2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2025-9086.patch b/meta/recipes-support/curl/curl/CVE-2025-9086.patch
new file mode 100644
index 0000000000..c77d8fe33d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-9086.patch
@@ -0,0 +1,55 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+Reported-by: Google Big Sleep
+Closes #18266
+CVE: CVE-2025-9086
+Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/cookie.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+diff --git a/lib/cookie.c b/lib/cookie.c
+index c1ed291..67494d2 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -316,7 +316,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
+  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+@@ -1074,7 +1074,7 @@ Curl_cookie_add(struct Curl_easy *data,
+          clist->spath && co->spath && /* both have paths */
+          clist->secure && !co->secure && !secure) {
+         size_t cllen;
+-        const char *sep;
+        const char *sep = NULL;
+         /*
+          * A non-secure cookie may not overlay an existing secure cookie.
+@@ -1083,8 +1083,9 @@ Curl_cookie_add(struct Curl_easy *data,
+          * "/loginhelper" is ok.
+          */
+-        sep = strchr(clist->spath + 1, '/');
+-
+        DEBUGASSERT(clist->spath[0]);
+        if(clist->spath[0])
+          sep = strchr(clist->spath + 1, '/');
+         if(sep)
+           cllen = sep - clist->spath;
+         else
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 6845a43cd2..6ed3d6e84d 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
    file://CVE-2024-11053-0002.patch \
    file://CVE-2024-11053-0003.patch \
    file://CVE-2025-0167.patch \
+    file://CVE-2025-9086.patch \
 "
 SRC_URI:append:class-nativesdk = " \

diff --git a/meta/recipes-support/curl/curl/CVE-2025-9086.patch b/meta/recipes-support/curl/curl/CVE-2025-9086.patch new file mode 100644 index 0000000000..c77d8fe33d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-9086.patch
@@ -0,0 +1,55 @@
		1	From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 11 Aug 2025 20:23:05 +0200
		4	Subject: [PATCH] cookie: don't treat the leading slash as trailing
		5
		6	If there is only a leading slash in the path, keep that. Also add an
		7	assert to make sure the path is never blank.
		8
		9	Reported-by: Google Big Sleep
		10	Closes #18266
		11
		12	CVE: CVE-2025-9086
		13	Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6]
		14
		15	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		16	---
		17	lib/cookie.c \| 9 +++++----
		18	1 file changed, 5 insertions(+), 4 deletions(-)
		19
		20	diff --git a/lib/cookie.c b/lib/cookie.c
		21	index c1ed291..67494d2 100644
		22	--- a/lib/cookie.c
		23	+++ b/lib/cookie.c
		24	@@ -316,7 +316,7 @@ static char sanitize_cookie_path(const char cookie_path)
		25	}
		26
		27	/* convert /hoge/ to /hoge */
		28	- if(len && new_path[len - 1] == '/') {
		29	+ if(len > 1 && new_path[len - 1] == '/') {
		30	new_path[len - 1] = 0x0;
		31	}
		32
		33	@@ -1074,7 +1074,7 @@ Curl_cookie_add(struct Curl_easy *data,
		34	clist->spath && co->spath && /* both have paths */
		35	clist->secure && !co->secure && !secure) {
		36	size_t cllen;
		37	- const char *sep;
		38	+ const char *sep = NULL;
		39
		40	/*
		41	* A non-secure cookie may not overlay an existing secure cookie.
		42	@@ -1083,8 +1083,9 @@ Curl_cookie_add(struct Curl_easy *data,
		43	* "/loginhelper" is ok.
		44	*/
		45
		46	- sep = strchr(clist->spath + 1, '/');
		47	-
		48	+ DEBUGASSERT(clist->spath[0]);
		49	+ if(clist->spath[0])
		50	+ sep = strchr(clist->spath + 1, '/');
		51	if(sep)
		52	cllen = sep - clist->spath;
		53	else
		54	--
		55	2.40.0


diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 6845a43cd2..6ed3d6e84d 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
24	file://CVE-2024-11053-0002.patch \	24	file://CVE-2024-11053-0002.patch \
25	file://CVE-2024-11053-0003.patch \	25	file://CVE-2024-11053-0003.patch \
26	file://CVE-2025-0167.patch \	26	file://CVE-2025-0167.patch \
		27	file://CVE-2025-9086.patch \
27	"	28	"
28		29
29	SRC_URI:append:class-nativesdk = " \	30	SRC_URI:append:class-nativesdk = " \