2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2025-10148.patch b/meta/recipes-support/curl/curl/CVE-2025-10148.patch
new file mode 100644
index 0000000000..7bc5d18396
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-10148.patch
@@ -0,0 +1,57 @@
+From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 8 Sep 2025 14:14:15 +0200
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+Reported-by: Calvin Ruocco
+Closes #18496
+CVE: CVE-2025-10148
+Upstream-Status: Backport [https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/ws.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+diff --git a/lib/ws.c b/lib/ws.c
+index 25d19c6..029172d 100644
+--- a/lib/ws.c
+++ b/lib/ws.c
+@@ -637,6 +637,18 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+    /* 4 bytes random */
+
+  result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
+  if(result)
+    return result;
+
+#ifdef DEBUGBUILD
+  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
+    /* force the bit mask to 0x00000000, effectively disabling masking */
+    memset(&enc->mask, 0, sizeof(enc->mask));
+#endif
+
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -819,14 +831,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-  infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
+  infof(data, "Received 101, switch to WebSocket");
+   /* Install our client writer that decodes WS frames payload */
+   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_8.12.1.bb b/meta/recipes-support/curl/curl_8.12.1.bb
index 0fb3719ac2..bfe0075af7 100644
--- a/meta/recipes-support/curl/curl_8.12.1.bb
+++ b/meta/recipes-support/curl/curl_8.12.1.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
    file://disable-tests \
    file://no-test-timeout.patch \
    file://CVE-2025-9086.patch \
+    file://CVE-2025-10148.patch \
 "
 SRC_URI:append:class-nativesdk = " \

diff --git a/meta/recipes-support/curl/curl/CVE-2025-10148.patch b/meta/recipes-support/curl/curl/CVE-2025-10148.patch new file mode 100644 index 0000000000..7bc5d18396 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-10148.patch
@@ -0,0 +1,57 @@
		1	From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 8 Sep 2025 14:14:15 +0200
		4	Subject: [PATCH] ws: get a new mask for each new outgoing frame
		5
		6	Reported-by: Calvin Ruocco
		7	Closes #18496
		8
		9	CVE: CVE-2025-10148
		10	Upstream-Status: Backport [https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa]
		11
		12	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		13	---
		14	lib/ws.c \| 21 +++++++++++++--------
		15	1 file changed, 13 insertions(+), 8 deletions(-)
		16
		17	diff --git a/lib/ws.c b/lib/ws.c
		18	index 25d19c6..029172d 100644
		19	--- a/lib/ws.c
		20	+++ b/lib/ws.c
		21	@@ -637,6 +637,18 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
		22	enc->payload_remain = enc->payload_len = payload_len;
		23	ws_enc_info(enc, data, "sending");
		24
		25	+ /* 4 bytes random */
		26	+
		27	+ result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
		28	+ if(result)
		29	+ return result;
		30	+
		31	+#ifdef DEBUGBUILD
		32	+ if(getenv("CURL_WS_FORCE_ZERO_MASK"))
		33	+ /* force the bit mask to 0x00000000, effectively disabling masking */
		34	+ memset(&enc->mask, 0, sizeof(enc->mask));
		35	+#endif
		36	+
		37	/* add 4 bytes mask */
		38	memcpy(&head[hlen], &enc->mask, 4);
		39	hlen += 4;
		40	@@ -819,14 +831,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
		41	subprotocol not requested by the client), the client MUST Fail
		42	the WebSocket Connection. */
		43
		44	- /* 4 bytes random */
		45	-
		46	- result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
		47	- sizeof(ws->enc.mask));
		48	- if(result)
		49	- return result;
		50	- infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
		51	- ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
		52	+ infof(data, "Received 101, switch to WebSocket");
		53
		54	/* Install our client writer that decodes WS frames payload */
		55	result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
		56	--
		57	2.40.0


diff --git a/meta/recipes-support/curl/curl_8.12.1.bb b/meta/recipes-support/curl/curl_8.12.1.bb index 0fb3719ac2..bfe0075af7 100644 --- a/meta/recipes-support/curl/curl_8.12.1.bb +++ b/meta/recipes-support/curl/curl_8.12.1.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
15	file://disable-tests \	15	file://disable-tests \
16	file://no-test-timeout.patch \	16	file://no-test-timeout.patch \
17	file://CVE-2025-9086.patch \	17	file://CVE-2025-9086.patch \
		18	file://CVE-2025-10148.patch \
18	"	19	"
19		20
20	SRC_URI:append:class-nativesdk = " \	21	SRC_URI:append:class-nativesdk = " \