external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch | 39 +++ external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch | 115 ++++++++++ external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch | 30 ++ external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch | 31 ++ external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch | 73 ++++++ external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch | 36 +++ external/curl/UnpackedTarball_curl.mk | 6 7 files changed, 330 insertions(+)
New commits: commit 7ae82489e853d495ea3abc1473785533fd777604 Author: Xisco Fauli <[email protected]> AuthorDate: Wed Jan 7 11:17:18 2026 +0100 Commit: Xisco Fauli <[email protected]> CommitDate: Fri Jan 9 10:48:50 2026 +0100 curl: patch CVE fixes from curl 8.18.0 See https://curl.se/docs/vuln-8.17.0.html it patches CVE-2025-15224, CVE-2025-15079, CVE-2025-14819, CVE-2025-14524, CVE-2025-14017 and CVE-2025-13034 Change-Id: Ifd0be12756ee0a538b2e234751af45e143ece8a7 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/196678 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> diff --git a/external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch b/external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch new file mode 100644 index 000000000000..5ca576782127 --- /dev/null +++ b/external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch @@ -0,0 +1,39 @@ +From 1a822275d333dc6da6043497160fd04c8fa48640 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Wed, 10 Dec 2025 11:40:47 +0100 +Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer + +Closes #19933 +--- + lib/curl_sasl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c +index 3e4bafc19a..b93bafbefa 100644 +--- a/lib/curl_sasl.c ++++ b/lib/curl_sasl.c +@@ -356,7 +356,9 @@ + data->set.str[STRING_SERVICE_NAME] : + sasl->params->service; + #endif +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; + struct bufref nullmsg; + + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); +@@ -543,7 +545,9 @@ + data->set.str[STRING_SERVICE_NAME] : + sasl->params->service; + #endif +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; + struct bufref serverdata; + + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); +-- +2.39.5 + diff --git a/external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch b/external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch new file mode 100644 index 000000000000..186e3f9a5ae5 --- /dev/null +++ b/external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch @@ -0,0 +1,115 @@ +From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Thu, 4 Dec 2025 00:14:20 +0100 +Subject: [PATCH] ldap: call ldap_init() before setting the options + +Closes #19830 +--- + lib/ldap.c | 50 +++++++++++++++++++------------------------------- + 1 file changed, 19 insertions(+), 31 deletions(-) + +diff --git a/lib/ldap.c b/lib/ldap.c +index 63b2cbc414..0911a9239a 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -374,17 +374,30 @@ + user = conn->user; + passwd = conn->passwd; + } ++ ++#ifdef USE_WIN32_LDAP ++ if(ldap_ssl) ++ server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1); ++ else ++#else ++ server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port); ++#endif ++ if(!server) { ++ failf(data, "LDAP: cannot setup connect to %s:%u", ++ conn->host.dispname, conn->primary.remote_port); ++ result = CURLE_COULDNT_CONNECT; ++ goto quit; ++ } + + #ifdef LDAP_OPT_NETWORK_TIMEOUT +- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); ++ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); + #endif +- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); ++ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); + + if(ldap_ssl) { + #ifdef HAVE_LDAP_SSL + #ifdef USE_WIN32_LDAP + /* Win32 LDAP SDK does not support insecure mode without CA! */ +- server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1); + ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); + #else + int ldap_option; +@@ -404,7 +417,7 @@ + goto quit; + } + infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca); +- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); ++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); + if(rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting PEM CA cert: %s", + ldap_err2string(rc)); +@@ -416,20 +429,13 @@ + else + ldap_option = LDAP_OPT_X_TLS_NEVER; + +- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); ++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); + if(rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting cert verify mode: %s", + ldap_err2string(rc)); + result = CURLE_SSL_CERTPROBLEM; + goto quit; + } +- server = ldap_init(host, conn->primary.remote_port); +- if(!server) { +- failf(data, "LDAP local: Cannot connect to %s:%u", +- conn->host.dispname, conn->primary.remote_port); +- result = CURLE_COULDNT_CONNECT; +- goto quit; +- } + ldap_option = LDAP_OPT_X_TLS_HARD; + rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option); + if(rc != LDAP_SUCCESS) { +@@ -438,15 +444,6 @@ + result = CURLE_SSL_CERTPROBLEM; + goto quit; + } +-/* +- rc = ldap_start_tls_s(server, NULL, NULL); +- if(rc != LDAP_SUCCESS) { +- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s", +- ldap_err2string(rc)); +- result = CURLE_SSL_CERTPROBLEM; +- goto quit; +- } +-*/ + #else + (void)ldap_option; + (void)ldap_ca; +@@ -465,15 +462,7 @@ + result = CURLE_NOT_BUILT_IN; + goto quit; + } +- else { +- server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port); +- if(!server) { +- failf(data, "LDAP local: Cannot connect to %s:%u", +- conn->host.dispname, conn->primary.remote_port); +- result = CURLE_COULDNT_CONNECT; +- goto quit; +- } +- } ++ + #ifdef USE_WIN32_LDAP + ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); + rc = ldap_win_bind(data, server, user, passwd); +-- +2.39.5 + diff --git a/external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch b/external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch new file mode 100644 index 000000000000..2a974112c62f --- /dev/null +++ b/external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch @@ -0,0 +1,30 @@ +From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <[email protected]> +Date: Mon, 29 Dec 2025 16:56:39 +0100 +Subject: [PATCH] libssh: require private key or user-agent for public key auth + +Closes #20110 +--- + lib/vssh/libssh.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 5d5125b526..bde6355f73 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -698,7 +698,11 @@ + "keyboard-interactive, " : "", + sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ? + "password": ""); +- if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { ++ /* For public key auth we need either the private key or ++ CURLSSH_AUTH_AGENT. */ ++ if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) && ++ (data->set.str[STRING_SSH_PRIVATE_KEY] || ++ (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) { + myssh_state(data, sshc, SSH_AUTH_PKEY_INIT); + infof(data, "Authentication using SSH public key file"); + } +-- +2.39.5 + diff --git a/external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch b/external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch new file mode 100644 index 000000000000..2b3c7683b786 --- /dev/null +++ b/external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch @@ -0,0 +1,31 @@ +From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Wed, 24 Dec 2025 17:47:03 +0100 +Subject: [PATCH] libssh: set both knownhosts options to the same file + +Reported-by: Harry Sintonen + +Closes #20092 +--- + lib/vssh/libssh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 7d5905c83d..98c109ab59 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -2629,6 +2629,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done) + infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]); + rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_KNOWNHOSTS, + data->set.str[STRING_SSH_KNOWNHOSTS]); ++ if(rc == SSH_OK) ++ /* libssh has two separate options for this. Set both to the same file ++ to avoid surprises */ ++ rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS, ++ data->set.str[STRING_SSH_KNOWNHOSTS]); + if(rc != SSH_OK) { + failf(data, "Could not set known hosts file path"); + return CURLE_FAILED_INIT; +-- +2.39.5 + diff --git a/external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch b/external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch new file mode 100644 index 000000000000..6613d80c9ae3 --- /dev/null +++ b/external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch @@ -0,0 +1,73 @@ +From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Wed, 17 Dec 2025 10:54:16 +0100 +Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a + different CA cache + +Reported-by: Stanislav Fort + +Closes #20009 +--- + lib/vtls/openssl.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index a7f169d641..7563d9a090 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3457,6 +3457,7 @@ + char *CAfile; /* CAfile path used to generate X509 store */ + X509_STORE *store; /* cached X509 store or NULL if none */ + struct curltime time; /* when the cached store was created */ ++ BIT(no_partialchain); /* keep partial chain state */ + }; + + static void oss_x509_share_free(void *key, size_t key_len, void *p) +@@ -3491,12 +3492,16 @@ + + static bool + ossl_cached_x509_store_different(struct Curl_cfilter *cf, ++ const struct Curl_easy *data, + const struct ossl_x509_share *mb) + { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); ++ struct ssl_config_data *ssl_config = ++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data)); ++ if(mb->no_partialchain != ssl_config->no_partialchain) ++ return TRUE; + if(!mb->CAfile || !conn_config->CAfile) + return mb->CAfile != conn_config->CAfile; +- + return strcmp(mb->CAfile, conn_config->CAfile); + } + +@@ -3513,7 +3518,7 @@ + sizeof(MPROTO_OSSL_X509_KEY)-1) : NULL; + if(share && share->store && + !ossl_cached_x509_store_expired(data, share) && +- !ossl_cached_x509_store_different(cf, share)) { ++ !ossl_cached_x509_store_different(cf, data, share)) { + store = share->store; + } + +@@ -3550,6 +3555,8 @@ + + if(X509_STORE_up_ref(store)) { + char *CAfile = NULL; ++ struct ssl_config_data *ssl_config = ++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data)); + + if(conn_config->CAfile) { + CAfile = strdup(conn_config->CAfile); +@@ -3567,6 +3574,7 @@ + share->time = curlx_now(); + share->store = store; + share->CAfile = CAfile; ++ share->no_partialchain = ssl_config->no_partialchain; + } + } + + +-- +2.39.5 + diff --git a/external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch b/external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch new file mode 100644 index 000000000000..b73f23c1a3ae --- /dev/null +++ b/external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch @@ -0,0 +1,36 @@ +From 3d91ca8cdb3b434226e743946d428b4dd3acf2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Fri, 14 Nov 2025 16:42:23 +0100 +Subject: [PATCH] vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally + +Closes #19531 +--- + lib/vquic/vquic-tls.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c +index f4ef06c33b..46bb4c7d4c 100644 +--- a/lib/vquic/vquic-tls.c ++++ b/lib/vquic/vquic-tls.c +@@ -169,13 +169,11 @@ + (void)conn_config; + result = Curl_oss_check_peer_cert(cf, data, &ctx->ossl, peer); + #elif defined(USE_GNUTLS) +- if(conn_config->verifyhost) { +- result = Curl_gtls_verifyserver(data, ctx->gtls.session, +- conn_config, &data->set.ssl, peer, +- data->set.str[STRING_SSL_PINNEDPUBLICKEY]); +- if(result) +- return result; +- } ++ result = Curl_gtls_verifyserver(cf, data, ctx->gtls.session, ++ conn_config, &data->set.ssl, peer, ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); ++ if(result) ++ return result; + #elif defined(USE_WOLFSSL) + (void)data; + if(conn_config->verifyhost) { +-- +2.39.5 + diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk index 51bec9c4f659..27b8d2b84783 100644 --- a/external/curl/UnpackedTarball_curl.mk +++ b/external/curl/UnpackedTarball_curl.mk @@ -30,6 +30,12 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\ external/curl/0001-const-up-readonly-H2_NON_FIELD.patch.1 \ external/curl/0001-cookie-don-t-treat-the-leading-slash-as-trailing.patch \ external/curl/0001-ws-get-a-new-mask-for-each-new-outgoing-frame.patch \ + external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch \ + external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch \ + external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch \ + external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch \ + external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch \ + external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch \ )) ifeq ($(OS)-$(COM_IS_CLANG),WNT-TRUE)
