mirror of
https://git.yoctoproject.org/poky
synced 2026-01-29 21:08:42 +01:00
4543508143
1, A cookie is set using the secure keyword for https://target 2, curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set 3, The same cookie name is set - but with just a slash as path (path="/"). Since this site is not secure, the cookie should just be ignored. 4, A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9086 Upstream patch: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6 (From OE-Core rev: b0cc7001a628deaa96d1aebb5ded52797898a0be) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>