curl: patch CVE-2025-14819

Pick patch per [1]. Additionally pick commit with definition of CURL_UNCONST to make the cherry-pick possible without build errors. It will be probably needed also by further CVE patches. [1] https://curl.se/docs/CVE-2025-14819.html (From OE-Core rev: 3a8e5ae08380ca201df950546dd5f02f9bbe1237) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-29 21:08:42 +01:00 · 2026-01-10 18:36:25 +01:00
parent 7a394819a8
commit ea774774ef
3 changed files with 160 additions and 0 deletions
--- a/meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch
+++ b/meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch
@@ -0,0 +1,85 @@
+From 9989d5392e9e61c81fdd3e464511ddd8d73c2f87 Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Fri, 31 Jan 2025 23:20:46 +0100
+Subject: [PATCH] build: enable `-Wcast-qual`, fix or silence compiler warnings
+
+The issues found fell into these categories, with the applied fixes:
+
+- const was accidentally stripped.
+  Adjust code to not cast or cast with const.
+
+- const/volatile missing from arguments, local variables.
+  Constify arguments or variables, adjust/delete casts. Small code
+  changes in a few places.
+
+- const must be stripped because an API dependency requires it.
+  Strip `const` with `CURL_UNCONST()` macro to silence the warning out
+  of our control. These happen at API boundaries. Sometimes they depend
+  on dependency version, which this patch handles as necessary. Also
+  enable const support for the zlib API, using `ZLIB_CONST`. Supported
+  by zlib 1.2.5.2 and newer.
+
+- const must be stripped because a curl API requires it.
+  Strip `const` with `CURL_UNCONST()` macro to silence the warning out
+  of our immediate control. For example we promise to send a non-const
+  argument to a callback, though the data is const internally.
+
+- other cases where we may avoid const stripping by code changes.
+  Also silenced with `CURL_UNCONST()`.
+
+- there are 3 places where `CURL_UNCONST()` is cast again to const.
+  To silence this type of warning:
+  ```
+  lib/vquic/curl_osslq.c:1015:29: error: to be safe all intermediate
+    pointers in cast from 'unsigned char **' to 'const unsigned char **'
+    must be 'const' qualified [-Werror=cast-qual]
+  lib/cf-socket.c:734:32: error: to be safe all intermediate pointers in
+    cast from 'char **' to 'const char **' must be 'const' qualified
+    [-Werror=cast-qual]
+  ```
+  There may be a better solution, but I couldn't find it.
+
+These cases are handled in separate subcommits, but without further
+markup.
+
+If you see a `-Wcast-qual` warning in curl, we appreciate your report
+about it.
+
+Closes #16142
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/9989d5392e9e61c81fdd3e464511ddd8d73c2f87]
+
+Picked only header file definition, not complete code refactoring.
+CURL_UNCONST will be probably needed also by further CVE patches due to this rework.
+
+Also later modified by removing VS2008 code per 2e1a045d8985e5daa4d9a4f908ed870a16d8e41e.
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/curl_setup_once.h | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/curl_setup_once.h b/lib/curl_setup_once.h
+index bf0ee663d3..df5b44c478 100644
+--- a/lib/curl_setup_once.h
+++ b/lib/curl_setup_once.h
+@@ -69,10 +69,18 @@
+ #include <unistd.h>
+ #endif
+ 
+-#ifdef USE_WOLFSSL
+#if defined(HAVE_STDINT_H) || defined(USE_WOLFSSL)
+ #include <stdint.h>
+ #endif
+ 
+/* Macro to strip 'const' without triggering a compiler warning.
+ Use* it for APIs that do not or cannot support the const qualifier. */
+#ifdef HAVE_STDINT_H
+#  define CURL_UNCONST(p) ((void *)(uintptr_t)(const void *)(p))
+#else
+#  define CURL_UNCONST(p) ((void *)(p))  /* Fall back to simple cast */
+#endif
+
+ #ifdef USE_SCHANNEL
+ /* Must set this before <schannel.h> is included directly or indirectly by
+    another Windows header. */
--- a/meta/recipes-support/curl/curl/CVE-2025-14819.patch
+++ b/meta/recipes-support/curl/curl/CVE-2025-14819.patch
@@ -0,0 +1,73 @@
+From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 17 Dec 2025 10:54:16 +0100
+Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a
+ different CA cache
+
+Reported-by: Stanislav Fort
+
+Closes #20009
+
+CVE: CVE-2025-14819
+Upstream-Status: Backport [https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vtls/openssl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index a7f169d641..7563d9a090 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -317,6 +317,7 @@ struct multi_ssl_backend_data {
+   char *CAfile;         /* CAfile path used to generate X509 store */
+   X509_STORE *store;    /* cached X509 store or NULL if none */
+   struct curltime time; /* when the cached store was created */
+  BIT(no_partialchain); /* keep partial chain state */
+ };
+ #endif /* HAVE_SSL_X509_STORE_SHARE */
+ 
+@@ -3378,12 +3379,16 @@ static bool cached_x509_store_expired(const struct Curl_easy *data,
+ 
+ static bool cached_x509_store_different(
+   struct Curl_cfilter *cf,
+                                             const struct Curl_easy *data,
+   const struct multi_ssl_backend_data *mb)
+ {
+   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
+  struct ssl_config_data *ssl_config =
+    Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
+  if(mb->no_partialchain != ssl_config->no_partialchain)
+    return TRUE;
+   if(!mb->CAfile || !conn_config->CAfile)
+     return mb->CAfile != conn_config->CAfile;
+-
+   return strcmp(mb->CAfile, conn_config->CAfile);
+ }
+ 
+@@ -3398,7 +3403,7 @@ static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf,
+      multi->ssl_backend_data &&
+      multi->ssl_backend_data->store &&
+      !cached_x509_store_expired(data, multi->ssl_backend_data) &&
+-     !cached_x509_store_different(cf, multi->ssl_backend_data)) {
+     !cached_x509_store_different(cf, data, multi->ssl_backend_data)) {
+     store = multi->ssl_backend_data->store;
+   }
+ 
+@@ -3427,6 +3432,8 @@ static void set_cached_x509_store(struct Curl_cfilter *cf,
+ 
+   if(X509_STORE_up_ref(store)) {
+     char *CAfile = NULL;
+    struct ssl_config_data *ssl_config =
+      Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
+ 
+     if(conn_config->CAfile) {
+       CAfile = strdup(conn_config->CAfile);
+@@ -3444,6 +3451,7 @@ static void set_cached_x509_store(struct Curl_cfilter *cf,
+     mbackend->time = Curl_now();
+     mbackend->store = store;
+     mbackend->CAfile = CAfile;
+    mbackend->no_partialchain = ssl_config->no_partialchain;
+   }
+ }
+ 
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -26,6 +26,8 @@ SRC_URI = " \
    file://CVE-2025-0167.patch \
    file://CVE-2025-9086.patch \
    file://CVE-2025-14017.patch \
+    file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
+    file://CVE-2025-14819.patch \
 "

 SRC_URI:append:class-nativesdk = " \