Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#14844 closed enhancement (fixed)

curl-7.76.0

Reported by: Douglas R. Reno Owned by: Tim Tassonis
Priority: elevated Milestone: 10.2
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version

Change History (4)

comment:1 by Tim Tassonis, 4 months ago

Owner: changed from blfs-book to Tim Tassonis
Status: newassigned
Changes:

    cookies: Support multiple -b parameters
    curl: add --fail-with-body
    doh: add options to disable ssl verification
    http: add support to read and store the referrer header
    sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
    vtls: initial implementation of rustls backend 

Bugfixes:

    CVE-2021-22876: strip credentials from the auto-referer header field
    CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
    asyn-ares: use consistent resolve error message
    BUG-BOUNTY: removed the cooperation mention
    build: delete unused feature guards
    build: fix --disable-dateparse
    build: fix --disable-http-auth
    build: remove all traces of USE_BLOCKING_SOCKETS
    c-hyper: Remove superfluous pointer check
    c-hyper: support automatic content-encoding
    CI/azure: disable test 433 on azure-ubuntu
    CI/azure: replace python-impacket with python3-impacket
    ci: stop building on freebsd-12-1
    cmake: fix import library name for non-MS compiler on Windows
    cmake: use CMAKE_INSTALL_INCLUDEDIR indirection
    cmake: support WinIDN
    config: fix building SMB with configure using Win32 Crypto
    config: fix detection of restricted Windows App environment
    configure: fail if --with-quiche is used and quiche isn't found
    configure: make AC_TRY_* into AC_*_IFELSE
    configure: make hyper opt-in, and fail if missing
    configure: only add OpenSSL paths if they are defined
    configure: provide Largefile feature for curl-config
    configure: remove use of deprecated macros
    configure: s/AC_HELP_STRING/AS_HELP_STRING
    cookies: Fix potential NULL pointer deref with PSL
    curl: set CURLOPT_NEW_FILE_PERMS if requested
    curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
    curl_multibyte: always return a heap-allocated copy of string
    curl_multibyte: fall back to local code page stat/access on Windows
    Curl_timeleft: check both timeouts during connect
    curl_url_set.3: mention CURLU_PATH_AS_IS
    CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
    docs/HTTP2: remove the outdated remark about multiplexing for the tool
    docs/Makefile.inc: format to be update-friendly
    docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
    docs: add missing Arg tag to --stderr
    docs: Add SSL backend names to CURL_SSL_BACKEND
    docs: clarify timeouts for queued transfers in multi API
    docs: Explain DOH transfers inherit some SSL settings
    docs: fix FILE example url in --metalink documentation
    docs: make gen.pl support *italic* and **bold**
    doh: Fix sharing user's resolve list with DOH handles
    doh: Inherit CURLOPT_STDERR from user's easy handle
    dynbuf: bump the max HTTP request to 1MB
    examples: Remove threaded-shared-conn.c due to bug
    file: Support unicode urls on windows
    ftp: add 'list_only' to the transfer state struct
    ftp: add 'prefer_ascii' to the transfer state struct
    FTP: allow SIZE to fail when doing (resumed) upload
    ftp: avoid SIZE when asking for a TYPE A file
    ftp: fix Codacy/cppcheck warning about null pointer arithmetic
    ftp: fix memory leak in ftp_done
    ftp: never set data->set.ftp_append outside setopt
    gen.pl: quote "bare" minuses in the nroff curl.1
    github: add torture-ftp for FTP-only torture testing
    gnutls: assume nettle crypto support
    gskit: correct the gskit_send() prototype
    hostip: fix build with sync resolver
    hostip: fix crash in sync resolver builds that use DOH
    hsts: remove unused defines
    http2: don't set KEEP_SEND when there's no more data to be sent
    http2: fail if connection terminated without END_STREAM
    http: cap body data amount during send speed limiting
    http: do not add a referrer header with empty value
    http: make 416 not fail with resume + CURLOPT_FAILONERRROR
    http: remove superfluous NULL assign
    http: strip default port from URL sent to proxy
    http: use credentials from transfer, not connection
    ldap: use correct memory free function
    lib1536: check ptr against NULL before dereferencing it
    lib1537: check ptr against NULL before dereferencing it
    lib: remove 'conn->data' completely
    libssh2: kdb_callback: get the right struct pointer
    libssh2:ssh_connect: clear session pointer after free
    memdebug: close debug logfile explicitly on exit
    mingw: enable using strcasecmp()
    multi: close the connection when h2=>h1 downgrading
    multi: do once-per-transfer inits in before_perform in DID state
    multi: rename the multi transfer states
    multi: update pending list when removing handle
    ngtcp2: adapt to the new recv_datagram callback
    ngtcp2: clarify calculation precedence
    ngtcp2: Fix build error due to change in ngtcp2_addr_init
    ngtcp2: sync with recent API updates
    openldap: avoid NULL pointer dereferences
    openssl: adapt to v3's new const for a few API calls
    openssl: ensure to check SSL_CTX_set_alpn_protos return values
    openssl: remove get_ssl_version_txt in favor of SSL_get_version
    openssl: set the transfer pointer for logging early
    OS400: update for CURLOPT_AWS_SIGV4
    parse_proxy: fix a memory leak in the OOM path
    pathhelp.pm: fix use of pwd -L in Msys environment
    projects: Update VS projects for OpenSSL 1.1.x
    quiche: fix build error: use 'int' for port number
    quiche: fix crash when failing to connect
    retry-all-errors.d: Explain curl errors versus HTTP response errors
    retry.d: Clarify transient 5xx HTTP response codes
    runtests.pl: add %TESTNUMBER variable to make copying tests more convenient
    runtests.pl: add a -P option to specify an external proxy
    runtests.pl: kill processes locking test log files
    setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
    test1188: change error to check for: --fail HTTP status
    test220/314: adjust to run with Hyper
    test304: header CRLF cleanup to work with Hyper
    test306: make it not run with Hyper
    tests: disable .curlrc in more environments
    tests: use %TESTNUMBER instead of fixed number
    tftp: remove the 3600 second default timeout
    time: enable 64-bit time_t in supported mingw environments
    tool_help: add missing argument for --create-file-mode
    tool_help: Increase space between option and description
    tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
    travis: add a rustls build
    travis: bump wolfssl to 4.7.0
    travis: only build wolfssl when needed
    travis: split "torture" into a separate "events" build
    travis: switch ngtcp2 build over to quictls
    travis: use ubuntu nghttp2 package instead of build our own
    url.c: use consistent error message for failed resolve
    url: fix memory leak if OOM in the HSTS handling
    url: fix possible use-after-free in default protocol
    urldata: don't touch data->set.httpversion at run-time
    urldata: fix build without HTTP and MQTT
    urldata: make 'actions[]' use unsigned char instead of int
    urldata: merge "struct DynamicStatic" into "struct UrlState"
    urldata: remove the 'rtspversion' field
    urldata: remove the _ORIG suffix from string names
    version.d: Add missing features to the features list
    wolfssl: don't store a NULL sessionid 
}}

comment:2 by Tim Tassonis, 4 months ago

Resolution: fixed
Status: assignedclosed

Fixed in revision 24421.

comment:3 by Douglas R. Reno, 4 months ago

CVE-2021-22876

Automatic referer leaks credentials
===================================

Project curl Security Advisory, March 31st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22876.html)

VULNERABILITY
-------------

libcurl does not strip off user credentials from the URL when automatically
populating the `Referer:` HTTP request header field in outgoing HTTP requests,
and therefore risks leaking sensitive data to the server that is the target of
the second HTTP request.

libcurl automatically sets the `Referer:` HTTP request header field in
outgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the
curl tool, it is enabled with `--referer ";auto"`.

We are not aware of any exploit of this flaw.

INFO
----

This flaw has existed in libcurl since commit
[f30ffef477](https://github.com/curl/curl/commit/f30ffef477) in libcurl 7.1.1,
released on August 21, 2000.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22876 to this issue.

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.1.1 to and including 7.75.0
- Not affected versions: curl < 7.1.1 and curl >= 7.76.0

Also note that libcurl is used by many applications, and not always
advertised as such.

THE SOLUTION
------------

If a provided URL contains credentials, they will be blanked out before the
URL is used to populate the header field.

A [fix for CVE-2021-22876](https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c)

(The patch URL will change in the final published version of this advisory)

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade libcurl to version 7.76.0

 B - Apply the patch to your local version

 C - Provide the credentials with `-u` or `CURLOPT_USERPWD`

 D - Avoid `CURLOPT_AUTOREFERER` and `--referer ";auto"`,

TIMELINE
--------

This issue was reported to the curl project on February 12, 2021.

This advisory was posted on March 31st 2021.

CREDITS
-------

This issue was reported and patched by Viktor Szakats.

Thanks a lot!

comment:4 by Douglas R. Reno, 4 months ago

Priority: normalelevated

CVE-2021-22890

TLS 1.3 session ticket proxy host mixup
=======================================

Project curl Security Advisory, March 31st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22890.html)

VULNERABILITY
-------------

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to
resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets
arriving from the HTTPS proxy but work as if they arrived from the remote
server and then wrongly "short-cut" the host handshake. The reason for this
confusion is the modified sequence from TLS 1.2 when the session ids would
provided only during the TLS handshake, while in TLS 1.3 it happens post
hand-shake and the code was not updated to take that changed behavior into
account.

When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong
session ticket resume for the host and thereby circumvent the server TLS
certificate check and make a MITM attack to be possible to perform unnoticed.

This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a
malicious HTTPS proxy needs to provide a certificate that curl will accept for
the MITMed server for an attack to work - unless curl has been told to ignore
the server certificate check.

We are not aware of any exploit of this flaw.

INFO
----

This flaw has existed in libcurl since commit
[549310e907e](https://github.com/curl/curl/commit/549310e907e) in libcurl 7.63.0,
released on December 12, 2018.

It can only trigger when TLS 1.3 is used with the HTTPS proxy and not with
earlier TLS versions. It *cannot* trigger with TLS 1.2 or earlier versions.

It might be worth highlighting that an HTTPS proxy is a proxy which libcurl
communicates with over TLS specifically, and then speaks HTTPS through, making
it two layers of TLS. It is different than the more common HTTP proxy setup,
where libcurl just does normal TCP with the proxy.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22890 to this issue.

CWE-290: Authentication Bypass by Spoofing

Severity: Low

AFFECTED VERSIONS
-----------------

This issue only exists when libcurl is built to use OpenSSL or one of its
forks.

- Affected versions: curl 7.63.0 to and including 7.75.0
- Not affected versions: curl < 7.63.0 and curl >= 7.76.0

Also note that libcurl is used by many applications, and not always
advertised as such.

THE SOLUTION
------------

Make sure the proxy/host distinction is done correctly.

A [fix for CVE-2021-22890](https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844)

(The patch URL will change in the final published version of this advisory)

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade libcurl to version 7.76.0

 B - Apply the patch to your local version

 C - Use another TLS backend

 D - Avoid TLS 1.3 with HTTPS proxies

TIMELINE
--------

This issue was reported to the curl project on March 17, 2021.

This advisory was posted on March 31st 2021.

CREDITS
-------

This issue was reported by Mingtao Yang, Facebook. Patch by Daniel Stenberg.

Thanks a lot!

Just putting the upstream information in here to make it easier for issuing a SA :)

Note: See TracTickets for help on using tickets.