id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 13945,curl-7.72.0,Douglas R. Reno,Douglas R. Reno,"New minor version {{{ curl and libcurl 7.72.0 Public curl releases: 194 Command line options: 232 curl_easy_setopt() options: 277 Public functions in libcurl: 82 Contributors: 2239 This release includes the following changes: o content_encoding: add zstd decoding support [1] o CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream [31] o CURLINFO_EFFECTIVE_METHOD: added [34] This release includes the following bugfixes: o CVE-2020-8231: libcurl: wrong connect-only connection [98] o appveyor: collect libcurl.dll variants with prefix or suffix [38] o asyn-ares: correct some bad comments [94] o bearssl: fix build with disabled proxy support [16] o buildconf: avoid array concatenation in die() [64] o buildconf: retire ares buildconf invocation o checksrc: ban gmtime/localtime [40] o checksrc: invoke script with -D to find .checksrc proper [63] o CI/azure: install libssh2 for use with msys2-based builds [67] o CI/azure: unconditionally enable warnings-as-errors with autotools [19] o CI/macos: enable warnings as errors for CMake builds [4] o CI/macos: set minimum macOS version [56] o CI/macos: unconditionally enable warnings-as-errors with autotools [21] o CI: Add muse CI analyzer [79] o cirrus-ci: upgrade 11-STABLE to 11.4 [2] o CMake: don't complain about missing nroff [87] o CMake: fix test for warning suppressions [17] o cmake: fix windows xp build [13] o configure.ac: Sort features name in summary [6] o configure: allow disabling warnings [26] o configure: cleanup wolfssl + pkg-config conflicts when cross compiling. [48] o configure: show zstd ""no"" in summary when built without it [49] o connect: remove redundant message about connect failure [66] o curl-config: ignore REQUIRE_LIB_DEPS in --libs output [96] o curl.1: add a few missing valid exit codes [76] o curl: add %{method} to the -w variables o curl: improve the existing file check with -J [43] o curl_multi_setopt: fix compiler warning ""result is always false"" [42] o curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated [9] o CURLINFO_CERTINFO.3: fix typo [3] o CURLOPT_NOBODY.3: clarify what setting to 0 means [46] o docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions [18] o docs: Add video link to docs/CONTRIBUTE.md [95] o docs: change ""web site"" to ""website"" [86] o docs: clarify MAX_SEND/RECV_SPEED functionality [92] o docs: Update a few leftover mentions of DarwinSSL [29] o doh: remove redundant cast [20] o file2memory: use a define instead of -1 unsigned value [30] o ftp: don't do ssl_shutdown instead of ssl_close [85] o ftpserver: don't verify SMTP MAIL FROM names [8] o getinfo: reset retry-after value in initinfo [51] o gnutls: repair the build with `CURL_DISABLE_PROXY` [5] o gtls: survive not being able to get name/issuer [73] o h2: repair trailer handling [81] o http2: close the http2 connection when no more requests may be sent [7] o http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages [11] o libssh2: s/ssherr/sftperr/ [78] o libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin [91] o md(4|5): don't use deprecated macOS functions [23] o mprintf: Fix dollar string handling [54] o mprintf: Fix stack overflows [53] o multi: Condition 'extrawait' is always true [60] o multi: Remove 10-year old out-commented code [97] o multi: remove two checks always true [36] o multi: update comment to say easyp list is linear [44] o multi_remove_handle: close unused connect-only connections [62] o ngtcp2: adapt to error code rename [69] o ngtcp2: adjust to recent sockaddr updates [27] o ngtcp2: update to modified qlog callback prototype [14] o nss: fix build with disabled proxy support [32] o ntlm: free target_info before (re-)malloc [55] o openssl: fix build with LibreSSL < 2.9.1 [61] o page-header: provide protocol details in the curl.1 man page [28] o quiche: handle calling disconnect twice [50] o runtests.pl: treat LibreSSL and BoringSSL as OpenSSL [59] o runtests: move the gnutls-serv tests to a dynamic port [74] o runtests: move the smbserver to use a dynamic port number [71] o runtests: move the TELNET server to a dynamic port [68] o runtests: run the DICT server on a random port number [90] o runtests: run the http2 tests on a random port number [72] o runtests: support dynamicly base64 encoded sections in tests [75] o setopt: unset NOBODY switches to GET if still HEAD [47] o smtp_parse_address: handle blank input string properly [89] o socks: use size_t for size variable [39] o strdup: remove the odd strlen check [24] o test1119: verify stdout in the test [33] o test1139: make it display the difference on test failures o test1140: compare stdout [93] o test1908: treat file as text [83] o tests/FILEFORMAT.md: mention %HTTP2PORT o tests/sshserver.pl: fix compatibility with OpenSSH for Windows o TLS naming: fix more Winssl and Darwinssl leftovers [88] o tls-max.d: this option is only for TLS-using connections [45] o tlsv1.3.d. only for TLS-using connections [37] o tool_doswin: Simplify Windows version detection [57] o tool_getparam: make --krb option work again [10] o TrackMemory tests: ignore realloc and free in getenv.c [84] o transfer: fix data_pending for builds with both h2 and h3 enabled [41] o transfer: fix memory-leak with CURLOPT_CURLU in a duped handle [15] o transfer: move retrycount from connect struct to easy handle [77] o travis/script.sh: fix use of `-n' with unquoted envvar [80] o travis: add ppc64le and s390x builds [65] o travis: update quiche builds for new boringssl layout [25] o url: fix CURLU and location following [70] o url: silence MSVC warning [12] o util: silence conversion warnings [22] o win32: Add Curl_verify_windows_version() to curlx [58] o WIN32: stop forcing narrow-character API [52] o windows: add unicode to feature list [35] o windows: disable Unix Sockets for old mingw [82] }}} And for the security advisory: {{{ VULNERABILITY ------------- An application that performs multiple requests with libcurl's multi API and sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then. `CURLOPT_CONNECT_ONLY` is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and ""easy handle"". It remembers the connection using a pointer to the internal `connectdata` struct in memory. If more transfers are then done with the same multi handle before the connect-only connection is used, leading to the initial connect-only connection to get closed (for example due to idle time-out) while also new transfers (and connections) are setup, such a *new* connection might end up getting the exact same memory address as the now closed connect-only connection. If after those operations, the application then wants to use the original transfer's connect-only setup to for example use `curl_easy_send()` to send raw data over that connection, libcurl could **erroneously** find an existing connection still being alive at the address it remembered since before even though this is now a new and different connection. The application could then accidentally send data over that connection which wasn't at all intended for that recipient, entirely unknowingly. We are not aware of any exploit of this flaw. INFO ---- This bug has existed at least since commit [c43127414d](https://github.com/curl/curl/commit/c43127414d), first shipped in curl 7.29.0. This flaw cannot trigger for users of the curl tool but only for applications using libcurl and the `CURLOPT_CONNECT_ONLY` option. The flaw only happens if the exact same memory address is re-used again for the new connection as for the original connect-only connection. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2020-8231 to this issue. CWE-825: Expired Pointer Dereference Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: libcurl 7.29.0 to and including 7.71.1 - Not affected versions: libcurl < 7.29.0 and libcurl >= 7.72.0 THE SOLUTION ------------ A [fix for CVE-2020-8231](https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8) RECOMMENDATIONS -------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.72.0 B - Apply the patch on your curl version and rebuild C - Do not use `CURLOPT_CONNECT_ONLY` TIMELINE -------- This issue was first reported to the curl project on July 31, 2020. This advisory was posted on August 19th 2020. CREDITS ------- This issue was reported by Marc Aldorasi. Patched by Daniel Stenberg. Thanks a lot! }}} ",enhancement,closed,high,10.1,BOOK,SVN,normal,fixed,,