mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

curl: patch CVE-2025-15079

Browse Source 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15079.html

(From OE-Core rev: 48a162d90daada0f992e665696f7f2e738780af1)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Peter Marko
2026-01-10 18:36:26 +01:00
committed by Richard Purdie
parent ea774774ef
commit 41c8c7c5c5
2 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
meta/recipes-support/curl/curl/CVE-2025-15079.patch Normal file
View File

@@ -0,0 +1,32 @@
From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 24 Dec 2025 17:47:03 +0100
Subject: [PATCH] libssh: set both knownhosts options to the same file
Reported-by: Harry Sintonen
Closes #20092
CVE: CVE-2025-15079
Upstream-Status: Backport [https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
lib/vssh/libssh.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index 7d5905c83d..98c109ab59 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -2224,6 +2224,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done)
infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]);
rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_KNOWNHOSTS,
data->set.str[STRING_SSH_KNOWNHOSTS]);
+ if(rc == SSH_OK)
+ /* libssh has two separate options for this. Set both to the same file
+ to avoid surprises */
+ rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
+ data->set.str[STRING_SSH_KNOWNHOSTS]);
if(rc != SSH_OK) {
failf(data, "Could not set known hosts file path");
return CURLE_FAILED_INIT;

1
meta/recipes-support/curl/curl_8.7.1.bb
View File

@@ -28,6 +28,7 @@ SRC_URI = " \
file://CVE-2025-14017.patch \ file://CVE-2025-14017.patch \
file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \ file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
file://CVE-2025-14819.patch \ file://CVE-2025-14819.patch \
file://CVE-2025-15079.patch \
" "
SRC_URI:append:class-nativesdk = " \ SRC_URI:append:class-nativesdk = " \