2 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2024-9681.patch b/meta/recipes-support/curl/curl/CVE-2024-9681.patch
new file mode 100644
index 0000000000..56a631d834
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-9681.patch
@@ -0,0 +1,85 @@
+From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 9 Oct 2024 10:04:35 +0200
+Subject: [PATCH] hsts: improve subdomain handling
+- on load, only replace existing HSTS entries if there is a full host
+  match
+- on matching, prefer a full host match and secondary the longest tail
+  subdomain match
+Closes #15210
+CVE: CVE-2024-9681
+Upstream-Status: Backport [https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313316]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/hsts.c          | 14 ++++++++++----
+ tests/data/test1660 |  2 +-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+diff --git a/lib/hsts.c b/lib/hsts.c
+index d5e883f51ef0f7..12052ce53c1c5a 100644
+--- a/lib/hsts.c
+++ b/lib/hsts.c
+@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
+  struct stsentry *bestsub = NULL;
+   if(h) {
+     char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
+    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -279,15 +281,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         if(ntail < hlen) {
+           size_t offs = hlen - ntail;
+           if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
+             strncasecompare(&hostname[offs], sts->host, ntail) &&
+             (ntail > blen)) {
+            /* save the tail match with the longest tail */
+            bestsub = sts;
+            blen = ntail;
+          }
+         }
+       }
+       if(strcasecompare(hostname, sts->host))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
+  return bestsub;
+ }
+ 
+ /*
+@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
+    else if(strcasecompare(p, e->host)) {
+       /* the same hostname, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index f86126d19cf269..4b6f9615c9d517 100644
+--- a/tests/data/test1660
+++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
+3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
diff --git a/meta/recipes-support/curl/curl_8.9.1.bb b/meta/recipes-support/curl/curl_8.9.1.bb
index 745224929b..174608b561 100644
--- a/meta/recipes-support/curl/curl_8.9.1.bb
+++ b/meta/recipes-support/curl/curl_8.9.1.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
    file://disable-tests \
    file://no-test-timeout.patch \
    file://0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch \
+    file://CVE-2024-9681.patch \
 "
 SRC_URI[sha256sum] = "f292f6cc051d5bbabf725ef85d432dfeacc8711dd717ea97612ae590643801e5"

diff --git a/meta/recipes-support/curl/curl/CVE-2024-9681.patch b/meta/recipes-support/curl/curl/CVE-2024-9681.patch new file mode 100644 index 0000000000..56a631d834 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-9681.patch
@@ -0,0 +1,85 @@
		1	From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Wed, 9 Oct 2024 10:04:35 +0200
		4	Subject: [PATCH] hsts: improve subdomain handling
		5
		6	- on load, only replace existing HSTS entries if there is a full host
		7	match
		8
		9	- on matching, prefer a full host match and secondary the longest tail
		10	subdomain match
		11
		12	Closes #15210
		13
		14	CVE: CVE-2024-9681
		15	Upstream-Status: Backport [https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313316]
		16	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		17	---
		18	lib/hsts.c \| 14 ++++++++++----
		19	tests/data/test1660 \| 2 +-
		20	2 files changed, 11 insertions(+), 5 deletions(-)
		21
		22	diff --git a/lib/hsts.c b/lib/hsts.c
		23	index d5e883f51ef0f7..12052ce53c1c5a 100644
		24	--- a/lib/hsts.c
		25	+++ b/lib/hsts.c
		26	@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts h, const char hostname,
		27	struct stsentry Curl_hsts(struct hsts h, const char *hostname,
		28	bool subdomain)
		29	{
		30	+ struct stsentry *bestsub = NULL;
		31	if(h) {
		32	char buffer[MAX_HSTS_HOSTLEN + 1];
		33	time_t now = time(NULL);
		34	size_t hlen = strlen(hostname);
		35	struct Curl_llist_element *e;
		36	struct Curl_llist_element *n;
		37	+ size_t blen = 0;
		38
		39	if((hlen > MAX_HSTS_HOSTLEN) \|\| !hlen)
		40	return NULL;
		41	@@ -279,15 +281,19 @@ struct stsentry Curl_hsts(struct hsts h, const char *hostname,
		42	if(ntail < hlen) {
		43	size_t offs = hlen - ntail;
		44	if((hostname[offs-1] == '.') &&
		45	- strncasecompare(&hostname[offs], sts->host, ntail))
		46	- return sts;
		47	+ strncasecompare(&hostname[offs], sts->host, ntail) &&
		48	+ (ntail > blen)) {
		49	+ /* save the tail match with the longest tail */
		50	+ bestsub = sts;
		51	+ blen = ntail;
		52	+ }
		53	}
		54	}
		55	if(strcasecompare(hostname, sts->host))
		56	return sts;
		57	}
		58	}
		59	- return NULL; /* no match */
		60	+ return bestsub;
		61	}
		62
		63	/*
		64	@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts h, char line)
		65	e = Curl_hsts(h, p, subdomain);
		66	if(!e)
		67	result = hsts_create(h, p, subdomain, expires);
		68	- else {
		69	+ else if(strcasecompare(p, e->host)) {
		70	/* the same hostname, use the largest expire time */
		71	if(expires > e->expires)
		72	e->expires = expires;
		73	diff --git a/tests/data/test1660 b/tests/data/test1660
		74	index f86126d19cf269..4b6f9615c9d517 100644
		75	--- a/tests/data/test1660
		76	+++ b/tests/data/test1660
		77	@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
		78	Input 12: error 43
		79	Input 13: error 43
		80	Input 14: error 43
		81	-3.example.com [example.com]: 1569905261 includeSubDomains
		82	+3.example.com [3.example.com]: 1569905261 includeSubDomains
		83	3.example.com [example.com]: 1569905261 includeSubDomains
		84	foo.example.com [example.com]: 1569905261 includeSubDomains
		85	'foo.xample.com' is not HSTS


diff --git a/meta/recipes-support/curl/curl_8.9.1.bb b/meta/recipes-support/curl/curl_8.9.1.bb index 745224929b..174608b561 100644 --- a/meta/recipes-support/curl/curl_8.9.1.bb +++ b/meta/recipes-support/curl/curl_8.9.1.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
15	file://disable-tests \	15	file://disable-tests \
16	file://no-test-timeout.patch \	16	file://no-test-timeout.patch \
17	file://0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch \	17	file://0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch \
		18	file://CVE-2024-9681.patch \
18	"	19	"
19	SRC_URI[sha256sum] = "f292f6cc051d5bbabf725ef85d432dfeacc8711dd717ea97612ae590643801e5"	20	SRC_URI[sha256sum] = "f292f6cc051d5bbabf725ef85d432dfeacc8711dd717ea97612ae590643801e5"
20		21