#13945 closed enhancement (fixed)

curl-7.72.0

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version

curl and libcurl 7.72.0

 Public curl releases:         194
 Command line options:         232
 curl_easy_setopt() options:   277
 Public functions in libcurl:  82
 Contributors:                 2239

This release includes the following changes:

 o content_encoding: add zstd decoding support [1]
 o CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream [31]
 o CURLINFO_EFFECTIVE_METHOD: added [34]

This release includes the following bugfixes:

 o CVE-2020-8231: libcurl: wrong connect-only connection [98]
 o appveyor: collect libcurl.dll variants with prefix or suffix [38]
 o asyn-ares: correct some bad comments [94]
 o bearssl: fix build with disabled proxy support [16]
 o buildconf: avoid array concatenation in die() [64]
 o buildconf: retire ares buildconf invocation
 o checksrc: ban gmtime/localtime [40]
 o checksrc: invoke script with -D to find .checksrc proper [63]
 o CI/azure: install libssh2 for use with msys2-based builds [67]
 o CI/azure: unconditionally enable warnings-as-errors with autotools [19]
 o CI/macos: enable warnings as errors for CMake builds [4]
 o CI/macos: set minimum macOS version [56]
 o CI/macos: unconditionally enable warnings-as-errors with autotools [21]
 o CI: Add muse CI analyzer [79]
 o cirrus-ci: upgrade 11-STABLE to 11.4 [2]
 o CMake: don't complain about missing nroff [87]
 o CMake: fix test for warning suppressions [17]
 o cmake: fix windows xp build [13]
 o configure.ac: Sort features name in summary [6]
 o configure: allow disabling warnings [26]
 o configure: cleanup wolfssl + pkg-config conflicts when cross compiling. [48]
 o configure: show zstd "no" in summary when built without it [49]
 o connect: remove redundant message about connect failure [66]
 o curl-config: ignore REQUIRE_LIB_DEPS in --libs output [96]
 o curl.1: add a few missing valid exit codes [76]
 o curl: add %{method} to the -w variables
 o curl: improve the existing file check with -J [43]
 o curl_multi_setopt: fix compiler warning "result is always false" [42]
 o curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated [9]
 o CURLINFO_CERTINFO.3: fix typo [3]
 o CURLOPT_NOBODY.3: clarify what setting to 0 means [46]
 o docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions [18]
 o docs: Add video link to docs/CONTRIBUTE.md [95]
 o docs: change "web site" to "website" [86]
 o docs: clarify MAX_SEND/RECV_SPEED functionality [92]
 o docs: Update a few leftover mentions of DarwinSSL [29]
 o doh: remove redundant cast [20]
 o file2memory: use a define instead of -1 unsigned value [30]
 o ftp: don't do ssl_shutdown instead of ssl_close [85]
 o ftpserver: don't verify SMTP MAIL FROM names [8]
 o getinfo: reset retry-after value in initinfo [51]
 o gnutls: repair the build with `CURL_DISABLE_PROXY` [5]
 o gtls: survive not being able to get name/issuer [73]
 o h2: repair trailer handling [81]
 o http2: close the http2 connection when no more requests may be sent [7]
 o http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages [11]
 o libssh2: s/ssherr/sftperr/ [78]
 o libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin [91]
 o md(4|5): don't use deprecated macOS functions [23]
 o mprintf: Fix dollar string handling [54]
 o mprintf: Fix stack overflows [53]
 o multi: Condition 'extrawait' is always true [60]
 o multi: Remove 10-year old out-commented code [97]
 o multi: remove two checks always true [36]
 o multi: update comment to say easyp list is linear [44]
 o multi_remove_handle: close unused connect-only connections [62]
 o ngtcp2: adapt to error code rename [69]
 o ngtcp2: adjust to recent sockaddr updates [27]
 o ngtcp2: update to modified qlog callback prototype [14]
 o nss: fix build with disabled proxy support [32]
 o ntlm: free target_info before (re-)malloc [55]
 o openssl: fix build with LibreSSL < 2.9.1 [61]
 o page-header: provide protocol details in the curl.1 man page [28]
 o quiche: handle calling disconnect twice [50]
 o runtests.pl: treat LibreSSL and BoringSSL as OpenSSL [59]
 o runtests: move the gnutls-serv tests to a dynamic port [74]
 o runtests: move the smbserver to use a dynamic port number [71]
 o runtests: move the TELNET server to a dynamic port [68]
 o runtests: run the DICT server on a random port number [90]
 o runtests: run the http2 tests on a random port number [72]
 o runtests: support dynamicly base64 encoded sections in tests [75]
 o setopt: unset NOBODY switches to GET if still HEAD [47]
 o smtp_parse_address: handle blank input string properly [89]
 o socks: use size_t for size variable [39]
 o strdup: remove the odd strlen check [24]
 o test1119: verify stdout in the test [33]
 o test1139: make it display the difference on test failures
 o test1140: compare stdout [93]
 o test1908: treat file as text [83]
 o tests/FILEFORMAT.md: mention %HTTP2PORT
 o tests/sshserver.pl: fix compatibility with OpenSSH for Windows
 o TLS naming: fix more Winssl and Darwinssl leftovers [88]
 o tls-max.d: this option is only for TLS-using connections [45]
 o tlsv1.3.d. only for TLS-using connections [37]
 o tool_doswin: Simplify Windows version detection [57]
 o tool_getparam: make --krb option work again [10]
 o TrackMemory tests: ignore realloc and free in getenv.c [84]
 o transfer: fix data_pending for builds with both h2 and h3 enabled [41]
 o transfer: fix memory-leak with CURLOPT_CURLU in a duped handle [15]
 o transfer: move retrycount from connect struct to easy handle [77]
 o travis/script.sh: fix use of `-n' with unquoted envvar [80]
 o travis: add ppc64le and s390x builds [65]
 o travis: update quiche builds for new boringssl layout [25]
 o url: fix CURLU and location following [70]
 o url: silence MSVC warning [12]
 o util: silence conversion warnings [22]
 o win32: Add Curl_verify_windows_version() to curlx [58]
 o WIN32: stop forcing narrow-character API [52]
 o windows: add unicode to feature list [35]
 o windows: disable Unix Sockets for old mingw [82]

And for the security advisory:

VULNERABILITY
-------------

An application that performs multiple requests with libcurl's multi API and
sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience
that when subsequently using the setup connect-only transfer, libcurl will
pick and use the wrong connection - and instead pick another one the
application has created since then.

`CURLOPT_CONNECT_ONLY` is the option to tell libcurl to not perform an actual
transfer, only connect. When that operation is completed, libcurl remembers
which connection it used for that transfer and "easy handle". It remembers the
connection using a pointer to the internal `connectdata` struct in memory.

If more transfers are then done with the same multi handle before the
connect-only connection is used, leading to the initial connect-only
connection to get closed (for example due to idle time-out) while also new
transfers (and connections) are setup, such a *new* connection might end up
getting the exact same memory address as the now closed connect-only
connection.

If after those operations, the application then wants to use the original
transfer's connect-only setup to for example use `curl_easy_send()` to send
raw data over that connection, libcurl could **erroneously** find an existing
connection still being alive at the address it remembered since before even
though this is now a new and different connection.

The application could then accidentally send data over that connection which
wasn't at all intended for that recipient, entirely unknowingly.

We are not aware of any exploit of this flaw.

INFO
----

This bug has existed at least since commit
[c43127414d](https://github.com/curl/curl/commit/c43127414d), first shipped in
curl 7.29.0.

This flaw cannot trigger for users of the curl tool but only for applications
using libcurl and the `CURLOPT_CONNECT_ONLY` option.

The flaw only happens if the exact same memory address is re-used again for
the new connection as for the original connect-only connection.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2020-8231 to this issue.

CWE-825: Expired Pointer Dereference

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.29.0 to and including 7.71.1
- Not affected versions: libcurl < 7.29.0 and libcurl >= 7.72.0

THE SOLUTION
------------

A [fix for CVE-2020-8231](https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8)

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl to version 7.72.0

 B - Apply the patch on your curl version and rebuild

 C - Do not use `CURLOPT_CONNECT_ONLY`

TIMELINE
--------

This issue was first reported to the curl project on July 31, 2020.

This advisory was posted on August 19th 2020.

CREDITS
-------

This issue was reported by Marc Aldorasi. Patched by Daniel Stenberg.

Thanks a lot! 

Change History (6)

comment:1 by Xi Ruoyao, 11 months ago

There is a CVE, should we do it in 10.0?

comment:2 by Douglas R. Reno, 11 months ago

I was thinking of mentioning that, especially because it's got an interesting attack vector. That could technically be exploited by just launching multiple sessions of an application (although it is incredibly rare, and it depends on an application using the CURLOPT_CONNECT_ONLY flag). The advisory is confusing. It mentions "We suggest you take one of the following actions immediately", but then marks it as "Low" severity.

The roadblock I think we'd encounter is the amount of packages that use cURL.

comment:3 by Douglas R. Reno, 11 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:4 by Douglas R. Reno, 11 months ago

I'm not going to list this one in the errata since we've already fixed it with a patch in LFS 10.0.

comment:5 by Douglas R. Reno, 11 months ago

With this version, some test suite failures are seen:

TESTDONE: 1094 tests out of 1097 reported OK: 99%
TESTFAIL: These test cases failed: 1700 1701 1702 
TESTDONE: 1374 tests were considered during 1285 seconds.

This is with all BLFS dependencies installed, as well as the impacket python module. The problem appears to be with the fact that we don't install nghttp2's executables. The executables provide a rudimentary HTTP/2 server, called nghttpx, which the tests (specifically the server that fails to start, tests/http2-server.pl) attempt to start in order to check responses.

For now, I think it's adequate to just mention that they fail. However, we might want to consider adding the executables into nghttp2. To do that, Pierre mentioned that we'd need to add (at least) libev.

comment:6 by Douglas R. Reno, 11 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r23661

Note: See TracTickets for help on using tickets.