1 files changed, 73 insertions, 0 deletions
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-35260.patch
new file mode 100644
index 0000000000..a4aae69fd0
--- /dev/null
+++ b/poky/meta/recipes-support/curl/curl/CVE-2022-35260.patch
@@ -0,0 +1,73 @@
+From 9169e54444bdca7b5e7b44034c463fe5fc801e88 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2022 14:37:24 +0200
+Subject: [PATCH] netrc: replace fgets with Curl_get_line
+
+Make the parser only accept complete lines and avoid problems with
+overly long lines.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9789
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa86]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/curl_get_line.c | 6 +++---
+ lib/netrc.c         | 5 +++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
+index 6a26bb2..22e3705 100644
+--- a/lib/curl_get_line.c
++++ b/lib/curl_get_line.c
+@@ -25,7 +25,7 @@
+ #include "curl_setup.h"
+ 
+ #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
+-  !defined(CURL_DISABLE_HSTS)
++  !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC)
+ 
+ #include "curl_get_line.h"
+ #include "curl_memory.h"
+@@ -33,8 +33,8 @@
+ #include "memdebug.h"
+ 
+ /*
+- * get_line() makes sure to only return complete whole lines that fit in 'len'
+- * bytes and end with a newline.
++ * Curl_get_line() makes sure to only return complete whole lines that fit in
++ * 'len' bytes and end with a newline.
+  */
+ char *Curl_get_line(char *buf, int len, FILE *input)
+ {
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 62a6a10..5d17482 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -33,6 +33,7 @@
+ #include "netrc.h"
+ #include "strtok.h"
+ #include "strcase.h"
++#include "curl_get_line.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -84,7 +85,7 @@ static int parsenetrc(const char *host,
+     char netrcbuffer[4096];
+     int  netrcbuffsize = (int)sizeof(netrcbuffer);
+ 
+-    while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
++    while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
+       char *tok;
+       char *tok_end;
+       bool quoted;
+@@ -243,7 +244,7 @@ static int parsenetrc(const char *host,
+         } /* switch (state) */
+         tok = ++tok_end;
+       }
+-    } /* while fgets() */
++    } /* while Curl_get_line() */
+ 
+     out:
+     if(!retcode) {