curl-7.77.0

[Douglas R. Reno]

New minor version

[Douglas R. Reno]

Release Notes

Hi friends!

I'm happy to announce the 200th curl release and we called it curl 7.77.0. This release comes with no less than *three* fixed security vulnerabilites and you will see those announcement in separate emails following this email.

Download curl as always from https://curl.se/

curl and libcurl 7.77.0

 Public curl releases:         200
 Command line options:         242
 curl_easy_setopt() options:   290
 Public functions in libcurl:  85
 Contributors:                 2408

This release includes the following changes:

 o configure: make the TLS library choice(s) explicit [3]
 o curl: ignore options asking for SSLv2 or SSLv3 [10]
 o hsts: enable by default [8]
 o SSL: support in-memory CA certs for some backends [85]
 o vtls: refuse setting any SSL version [9]

This release includes the following bugfixes:

 o CVE-2021-22297: schannel cipher selection surprise [132]
 o CVE-2021-22298: TELNET stack contents disclosure [131]
 o CVE-2021-22901: TLS session caching disaster [130]
 o AmigaOS: add functions definitions for SHA256 [126]
 o build: fix compilation for Windows UWP platform [82]
 o c-hyper: don't write to set.writeheader if null [67]
 o c-hyper: fix handling of zero-byte chunk from hyper [39]
 o c-hyper: handle body on HYPER_TASK_EMPTY [104]
 o checksrc: complain on == NULL or != 0 checks in conditions [20]
 o CI/cirrus: add shared and static Windows release builds [102]
 o cmake: add CURL_ENABLE_EXPORT_TARGET option [133]
 o cmake: check for getppid and utimes [87]
 o cmake: detect CURL_SA_FAMILY_T [124]
 o cmake: fix two invokes result in different curl_config.h [123]
 o cmake: make libcurl output filename configurable [41]
 o cmake: Use multithreaded compilation on VS 2008+ [122]
 o config: remove now-unused macros [107]
 o configure: if asked for, fail if ldap is not found [109]
 o configure: provide --with-openssl, deprecate --with-ssl [15]
 o conn: add 'attach' to protocol handler, make libssh2 use it [119]
 o connect: use CURL_SA_FAMILY_T for portability [34]
 o ConnectionExists: respect requests for h1 connections better
 o cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies [1]
 o curl-wolfssl.m4: without custom include path, assume /usr/include [116]
 o curl: include libmetalink version in --version output [111]
 o Curl_http_header: check for colon when matching Persistent-Auth [51]
 o Curl_http_input_auth: require valid separator after negotiation type [52]
 o Curl_input_digest: require space after Digest [50]
 o curl_mprintf.3: add description [73]
 o curl_setup: provide the shutdown flags wider [33]
 o curl_url_set.3: add memory management information [38]
 o CURLcode: add CURLE_SSL_CLIENTCERT [47]
 o CURLOPT_CAPATH.3: defaults to a path, not NULL [103]
 o CURLOPT_IPRESOLVE: preventing wrong IP version from being used [125]
 o CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data [40]
 o data_pending: check only SECONDARY socket for FTP(S) transfers [117]
 o docs/TheArtOfHttpScripting: fix markdown links [129]
 o docs: camelcase it like GitHub everywhere [62]
 o docs: cookies from HTTP headers need domain set [121]
 o docs: fix typo in fail-with-body doc [63]
 o docs: improve INTERNALS.md regarding getsock cb [105]
 o docs: replace dots with dashes in markdown enums [101]
 o easy: ignore sigpipe in curl_easy_send [69]
 o FILEFORMAT: mention sectransp as a feature [89]
 o GIT-INFO: suggest using autoreconf instead of buildconf [96]
 o github: add a workflow with libssh2 on macOS using cmake [81]
 o github: inhibit deprecated declarations for clang on macOS [118]
 o GnuTLS: don't allow TLS 1.3 for versions that don't support it [77]
 o gnutls: make setting only the MAX TLS allowed version work [83]
 o gskit: fix CURL_DISABLE_PROXY build [57]
 o gskit: fix undefined reference to 'conn' [58]
 o hostip.h: remove declaration of unimplemented function [108]
 o hostip: remove the debug code for LocalHost [113]
 o http2: call the handle-closed function correctly on closed stream [37]
 o http2: fix a resource leak in push_promise() [54]
 o http2: fix resource leaks in set_transfer_url() [55]
 o http2: make sure pause is done on HTTP [120]
 o http2: move the stream error field to the per-transfer storage [36]
 o http2: skip immediate parsing of payload following protocol switch [90]
 o http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade [91]
 o HTTP3.md: fix nghttp2's HTTP/3 server port [21]
 o HTTP3.md: make the ngtcp2 build use the quictls fork [98]
 o http: deal with partial CONNECT sends [97]
 o http: fix the check for 'Authorization' with Bearer [53]
 o http: limit the initial send amount to used upload buffer size [99]
 o http: reset the header buffer when sending the request [61]
 o http: use offsets inst of integer literals for header parsing [95]
 o INSTALL: add IBM i specific quirks [75]
 o krb5/name_to_level: replace checkprefix with curl_strequal [49]
 o krb5: don't use 'static' to store PBSZ size response [23]
 o krb5: remove the unused 'overhead' function [35]
 o lib/hostip6.c: make NAT64 address synthesis on macOS work [135]
 o lib1564.c: enable last wakeup test part on Windows [26]
 o lib: fix 0-length Curl_client_write calls [60]
 o lib: fix some misuse of curlx_convert_UTF8_to_tchar [64]
 o libcurl-security.3: be careful of setuid [66]
 o libcurl-security.3: don't try to filter IPv4 hosts based on the URL [71]
 o libcurl.3: mention the URL API [76]
 o libssh2: fix Value stored to 'sshp' is never read [13]
 o libssh2: ignore timeout during disconnect [45]
 o libssh: fix "empty expression statement has no effect" warnings [7]
 o libtest: remove lib530.c [88]
 o m4: add security frameworks on Mac when compiling rustls [31]
 o multi: don't close connection HTTP_1_1_REQUIRED
 o multi: fix slow write/upload performance on Windows [27]
 o multi: reduce Win32 API calls to improve performance [28]
 o ngtcp2: fix the cb_acked_stream_data_offset proto [46]
 o NSS: add ciphers to map [30]
 o NSS: make colons, commas and spaces valid separators in cipher list [106]
 o nss_set_blocking: avoid static for sock_opt [72]
 o ntlm: precaution against super huge type2 offsets [65]
 o openldap: protect SSL-specific code with proper #ifdef [12]
 o openldap: replace ldap_ prefix on private functions [84]
 o openssl: fix build error with OpenSSL < 1.0.2 [4]
 o openssl: remove unneeded cast for CertOpenSystemStore() [93]
 o os400: additional support for options metadata [24]
 o progress: fix scan-build-11 warnings [92]
 o progress: reset limit_size variables at transfer start [114]
 o progress: when possible, calculate transfer speeds with microseconds [48]
 o README.md: delete Codacy UTM parameters [5]
 o Revert "Revert 'multi: implement wait using winsock events'" [26]
 o rustls: only return CURLE_AGAIN when TLS session is fully drained [2]
 o rustls: use ALPN [56]
 o sasl: use 'unsigned short' to store mechanism [112]
 o schannel: Disable auto credentials; add an option to enable it [18]
 o schannel: Support strong crypto option [44]
 o sectransp: allow cipher name to be specified [29]
 o sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer [136]
 o sigpipe: ignore SIGPIPE when using wolfSSL as well [70]
 o sockfilt: avoid getting stuck waiting for writable socket [80]
 o sockfilt: fix invalid increment of handles index variable nfd [79]
 o sws: #ifdef S_IFSOCK use [32]
 o sws: allow HTTP requests up to 2MB in size [100]
 o test server: take care of siginterrupt() deprecation [25]
 o test2100: make it run with and require IPv6 [127]
 o tests/disable-scan.pl: also scan all m4 files [17]
 o tests/getpart: generate output URL encoded for better diffs [128]
 o tests: ignore case of chunked hex numbers in tests [86]
 o tls: add USE_HTTP2 define [59]
 o tool_getparam: handle failure of curlx_convert_tchar_to_UTF8() [78]
 o tool_getparam: replace (in-place) '%20' by '+' according to RFC1866 [14]
 o tool_operate: don't discard failed parallel transfer result [16]
 o tool_writeout: fix the HTTP_CODE json output [11]
 o travis: disable the failing libssh build [94]
 o URL-SYNTAX: update IDNA section for WHATWG spec changes [74]
 o urlapi: "normalize" numerical IPv4 host names [6]
 o vauth: factor base64 conversions out of authentication procedures [22]
 o version: add gsasl_version to curl_version_info_data [43]
 o version: add OpenLDAP version in the output [110]
 o vtls: deduplicate some DISABLE_PROXY ifdefs [19]
 o vtls: reset ssl use flag upon negotiation failure [42]
 o wolfssl: handle SSL_write() returns 0 for error [68]
 o wolfssl: remove SSLv3 support leftovers [115]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)

[Douglas R. Reno]

CVE-2021-22897

schannel cipher selection surprise
==================================

Project curl Security Advisory, May 26th 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22897.html)

VULNERABILITY
-------------

libcurl lets applictions specify which specific TLS ciphers to use in
transfers, using the option called `CURLOPT_SSL_CIPHER_LIST`. The cipher
selection is used for the TLS negotation when a transfer is done involving any
of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS,
IMAPS, POP3S, SMTPS etc.

Due to a mistake in the code, the selected cipher set was stored in a single
"static" variable in the library, which has the surprising side-effect that if
an application sets up multiple concurrent transfers, the last one that sets
the ciphers will accidentally control the set used by all transfers. In a
worst-case scenario, this weakens transport security significantly.

We are not aware of any exploit of this flaw.

INFO
----

This flaw has existed in libcurl since commit
[9aefbff30d280c60fc](https://github.com/curl/curl/commit/9aefbff30d280c60fc)
in libcurl 7.61.0, released on July 11, 2018.

It can only trigger when Schannel is used, which is the native TLS library in
Microsoft Windows.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22897 to this issue.

CWE-488: Exposure of Data Element to Wrong Session

Severity: Low

AFFECTED VERSIONS
-----------------

This issue only exists when libcurl is built to use Schannel.

- Affected versions: libcurl 7.61.0 to and including 7.76.1
- Not affected versions: libcurl < 7.61.0 and libcurl >= 7.77.0

Also note that libcurl is used by many applications, and not always advertised
as such.

THE SOLUTION
------------

Store the cipher selection in data associated with the connection.

A [fix for CVE-2021-22897](https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511)

RECOMMENDATIONS
--------------

If you're using an Schannel based libcurl, We suggest you take one of the
following actions immediately, in order of preference:

 A - Upgrade libcurl to version 7.77.0

 B - Apply the patch to your local version

 C - Avoid using `CURLOPT_SSL_CIPHER_LIST`

TIMELINE
--------

This issue was reported to the curl project on April 23, 2021.

This advisory was posted on May 26, 2021.

CREDITS
-------

This issue was reported by Harry Sintonen. Patch by Daniel Stenberg.

Thanks a lot!

[Douglas R. Reno]

CVE-2021-22898

TELNET stack contents disclosure
================================

Project curl Security Advisory, May 26th 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22898.html)

VULNERABILITY
-------------

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`
in libcurl. This rarely used option is used to send variable=content pairs to
TELNET servers.

Due to flaw in the option parser for sending `NEW_ENV` variables, libcurl
could be made to pass on uninitialized data from a stack based buffer to the
server. Therefore potentially revealing sensitive internal information to the
server using a clear-text network protocol.

This could happen because curl did not check the return code from a
`sscanf(command, "%127[^,],%127s")` function invoke correctly, and would leave
the piece of the send buffer uninitialized for the value part if it was
provided longer than 127 bytes. The buffer used for this is 2048 bytes big and
the *variable* part of the *variable=content* pairs would be stored correctly
in the send buffer, making curl sending "interleaved" bytes sequences of stack
contents. A single curl TELNET handshake could then be made to send off a
total of around 1800 bytes of (non-contiguous) stack contents in this style:

    [control byte]name[control byte]
    stack contents
    [control byte]name[control byte]
    stack contents
    ...

An easy proof of concept command line looks like this:

    curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)

We are not aware of any exploit of this flaw.

INFO
----

This flaw has existed in curl since commit
[a1d6ad2610](https://github.com/curl/curl/commit/a1d6ad2610) in libcurl 7.7,
released on March 22, 2001.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22898 to this issue.

CWE-457: Use of Uninitialized Variable

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.7 to and including 7.76.1
- Not affected versions: curl < 7.7 and curl >= 7.77.0

Also note that libcurl is used by many applications, and not always advertised
as such.

THE SOLUTION
------------

Use sscanf() properly and only use properly filled-in buffers.

A [fix for CVE-2021-22898](https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.77.0

 B - Apply the patch to your local version

 C - Avoid using `CURLOPT_TELNETOPTIONS`

TIMELINE
--------

This issue was reported to the curl project on April 27, 2021.

This advisory was posted on May 26, 2021.

CREDITS
-------

This issue was reported and patched by Harry Sintonen.

Thanks a lot!

Disclosure of stack contents for this one

[Douglas R. Reno]

Since we use OpenSSL, we're directly impacted by this remote code execution vulnerability. It only happens when going to a server via HTTPS.

CVE-2021-22901

TLS session caching disaster
============================

Project curl Security Advisory, May 26th 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22901.html)

VULNERABILITY
-------------

libcurl can be tricked into using already freed memory when a new TLS session
is negotiated or a client certificate is requested on an existing connection.
For example, this can happen when a TLS server requests a client certificate
on a connection that was established without one. A malicious server can use
this in rare unfortunate circumstances to potentially reach remote code
execution in the client.

OpenSSL can declare a "new session" for different reasons, including the
initial TLS handshake completion, TLS 1.2 (or earlier) renegotiation, or TLS
1.3 client certificate requests. When libcurl at run-time sets up support for
session ID caching on a connection using OpenSSL, it stores pointers to the
transfer in-memory object for later retrieval when OpenSSL considers a new
session to be established.

However, if the connection is used by multiple transfers (like with a reused
HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer
object might be freed before the new session is established on that connection
and then the function will access a memory buffer that might be freed. When
using that memory, libcurl might even call a function pointer in the object,
making it possible for a remote code execution if the server could somehow
manage to get crafted memory content into the correct place in memory.

We are not aware of any exploit of this flaw.

INFO
----

The flaw can only happen in libcurl built to use OpenSSL (or one of its forks).

This flaw has existed in curl since commit
[a304051620b92](https://github.com/curl/curl/commit/a304051620b92) in libcurl
7.75.0, released on February 3, 2021.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22901 to this issue.

CWE-416: Use After Free

Severity: High

## Steps to remote code execution

1. libcurl built to use OpenSSL (BoringSSL and libressl work the same)

2. A multi interface using application

3. One of the following:

 - create and use a first easy handle to do HTTP/1.1 over TLS to a malicious
   server

 - free that easy handle with `curl_easy_cleanup()`

 - create and use a second easy handle to do HTTP/1.1 over TLS with to the
   same server such that the TLS connection is reused

    or

 - more than one concurrent easy handle created that do HTTP/2 over a TLS
   connection to a malicious server,

 - the *first* easy handle to use the connection must be freed with
   `curl_easy_cleanup()`

 - at least one easy handle remaining in use of the same connection

4. The attacking server needs to figure out heap address details in order to
know what payload contents to provide

5. The necessary exact memory address in the heap gets populated by memory
contents controlled by the server

6. The attacker starts a new handshake (on TLS 1.2 or earlier), or sends a TLS
1.3 client certificate request, or otherwise triggers OpenSSL to consider a
new session to be established

For a remote code execution, the client needs to perform (potentially many)
more transfers (and thus have more easy handles) to allow the server to place
crafted contents into heap memory.  Instead of remote code execution, the
client could instead crash or otherwise experience undefined behaviour.

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.75.0 to and including 7.76.1
- Not affected versions: curl < 7.75.0 and curl >= 7.77.0

Also note that libcurl is used by many applications, and not always advertised
as such.

THE SOLUTION
------------

When the transfer is detached from the connection, it clears the association
to it from the session ID cache logic.

A [fix for CVE-2021-22901](https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.77.0

 B - Apply the patch to your local version

 C - Build libcurl to use another TLS backend

TIMELINE
--------

This issue was reported to the curl project on April 29, 2021.

This advisory was posted on May 26, 2021.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Harry Sintonen and
Daniel Stenberg. Help and research by Brad Spencer.

Thanks a lot!

The description above also details how to achieve successful remote code execution through libcurl.

[Tim Tassonis]

Fixed in commit 42d1ab6496

[Bruce Dubbs]

Milestone renamed