cURL-7.78.0

[Douglas R. Reno]

New minor version.

Contains 5 security fixes.

[Douglas R. Reno]

This release includes the following changes:

 o curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE [118]
 o CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax [40]
 o hostip: make 'localhost' return fixed values [16]
 o mbedtls: add support for cert and key blob options [11]
 o metalink: remove all support for it [54]
 o mqtt: add support for username and password [91]

This release includes the following bugfixes:

 o --socks4[a]: clarify where the host name is resolved [107]
 o ares: always store IPv6 addresses first [20]
 o asyn-ares: remove check for 'data' in Curl_resolver_cancel [89]
 o bearssl: explicitly initialize all fields of Curl_ssl [1]
 o bearssl: remove incorrect const on variable that is modified [1]
 o build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS [155]
 o c-hyper: abort CONNECT response reading early on non 2xx responses [75]
 o c-hyper: add support for transfer-encoding in the request [121]
 o c-hyper: bail on too long response headers [115]
 o c-hyper: clear NTLM auth buffer when request is issued [23]
 o c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL [21]
 o c-hyper: fix NTLM on closed connection tested with test159 [4]
 o c-hyper: fix the uploaded field in progress callbacks [78]
 o c-hyper: handle NULL from hyper_buf_copy() [19]
 o c-hyper: support CURLINFO_STARTTRANSFER_TIME [29]
 o c-hyper: support CURLOPT_HEADER [32]
 o ccsidcurl: fix the compile errors [27]
 o CI/cirrus: install impacket from PyPI instead of FreeBSD packages [166]
 o CI: add bearssl build [1]
 o CI: add Circle CI [92]
 o CI: add jobs using Zuul [86]
 o CI: delete --enable-hsts option (it is the default now) [2]
 o CI: remove travis details [144]
 o cleanup: spell DoH with a lowercase o [172]
 o cmake: add CURL_DISABLE_NTLM option [44]
 o cmake: avoid leaking absolute paths into exported config [3]
 o cmake: fix IoctlSocket FIONBIO check [156]
 o cmake: fix support for UnixSockets feature on Win32 [104]
 o cmake: remove libssh2 feature checks [122]
 o cmake: try well-known send/recv signature for Apple [12]
 o configure.ac: make non-executable [109]
 o configure/cmake: remove checks for many unused functions [95]
 o configure: add --disable-ntlm option [45]
 o configure: disable RTSP when hyper is selected [68]
 o configure: do not strip out debug flags [110]
 o configure: fix nghttp2 library name for static builds [157]
 o configure: inhibit the implicit-fallthrough warning on gcc-12 [106]
 o configure: rename get-easy-option configure option to get-easy-options [81]
 o conn_shutdown: if closed during CONNECT cleanup properly [59]
 o conncache: lowercase the hash key for better match [5]
 o cookies: track expiration in jar to optimize removals [25]
 o copyright: add boiler-plate headers to CI config files [143]
 o crustls: bump crustls version and use new URL [119]
 o curl.h: <sys/select.h> is supported by VxWorks7 [102]
 o curl.h: include sys/select.h for NuttX RTOS [100]
 o curl: ignore blank --output-dir [57]
 o curl_endian: remove the unused Curl_write64_le function [85]
 o curl_multibyte: Remove local encoding fallbacks [58]
 o Curl_ntlm_core_mk_nt_hash: fix OOM in error path [8]
 o Curl_ssl_getsessionid: fail if no session cache exists [14]
 o CURLOPT_WRITEFUNCTION.3: minor update of the example [80]
 o docs/BINDINGS: fix outdated links [116]
 o docs/examples: use curl_multi_poll() in multi examples [152]
 o docs/INSTALL: remove mentions of configure --with-darwin-ssl [55]
 o docs: document missing arguments to commands [160]
 o docs: fix inconsistencies in EGDSOCKET documentation [159]
 o docs: fix incorrect argument name reference [161]
 o docs: Fix typos [146]
 o docs: make docs for --etag-save match the program behaviour [169]
 o docs: use --max-redirs instead of --max-redir [28]
 o doh: (void)-prefix call to curl_easy_setopt
 o doh: fix wrong DEBUGASSERT for doh private_data [62]
 o easy: during upkeep, attach Curl_easy to connections in the cache [171]
 o examples/multi-single: fix scan-build warning [150]
 o examples: length-limit two sscanf() uses of %s [96]
 o examples: safer and more proper read callback logic [127]
 o filecheck: quietly remove test-place/*~ [39]
 o formdata: avoid "Argument cannot be negative" warning [131]
 o formdata: correct typecast in curl_mime_data call [137]
 o GHA: add a linux-hyper job [52]
 o GHA: add several libcurl tests to the hyper job
 o GHA: run the newly fixed tests with hyper [36]
 o github: timeout jobs on macOS after 90 minutes [42]
 o glob: pass an 'int' as len when using printf's %*s [139]
 o gnutls: set the preferred TLS versions in correct order [94]
 o GOVERNANCE: add 'user', 'committer' and 'contributor' [15]
 o hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies [105]
 o hostip: bad CURLOPT_RESOLVE syntax now returns error [35]
 o hsts: ignore numberical IP address hosts [17]
 o HSTS: not experimental anymore
 o http2: clarify 'Using HTTP2' verbose message [63]
 o http2: init recvbuf struct for pushed streams [13]
 o http2_connisdead: handle trailing GOAWAY better [18]
 o http: fix crash in rate-limited upload [142]
 o http: make the haproxy support work with unix domain sockets [99]
 o http_proxy: deal with non-200 CONNECT response with Hyper [22]
 o hyper: propagate errors back up from read callbacks [113]
 o HYPER: remove mentions of deprecated development branch
 o idn: fix libidn2 with windows unicode builds [117]
 o infof: remove newline from format strings, always append it [149]
 o lib: don't compare fd to FD_SETSIZE when using poll [61]
 o lib: fix compiler warnings with CURL_DISABLE_NETRC [168]
 o lib: fix type of len passed to *printf's %*s [133]
 o lib: more %u for port and int for %*s fixes [132]
 o lib: use %u instead of %ld for port number printf [134]
 o libcurl-security.3: mention file descriptors and forks [108]
 o libssh2: limit time a disconnect can take to 1 second [111]
 o mbedtls: make mbedtls_strerror always work [6]
 o mbedtls: Remove unnecessary include [175]
 o mqtt: detect illegal and too large file size [43]
 o mqtt: extend the error message for no topic [136]
 o msnprintf: return number of printed characters excluding null byte [148]
 o multi: add scan-build-6 work-around in curl_multi_fdset [88]
 o multi: alter transfer timeout ordering [97]
 o multi: do not switch off connect_only flag when closing [98]
 o multi: fix crash in curl_multi_wait / curl_multi_poll [153]
 o netrc: skip 'macdef' definitions [87]
 o ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS [83]
 o openssl: avoid static variable for seed flag [101]
 o openssl: don't remove session id entry in disassociate [56]
 o pinnedpubkey.d: fix formatting for version support lists [126]
 o proto.d: fix formatting for paragraphs after margin changes [125]
 o quiche: use send() instead of sendto() to avoid macOS issue [103]
 o Revert "c-hyper: handle body on HYPER_TASK_EMPTY" [26]
 o Revert "ftp: Expression 'ftpc->wait_data_conn' is always false" [147]
 o runtests: also find the last test in Makefile.inc [66]
 o runtests: enable 'hyper mode' only for HTTP tests [34]
 o runtests: init $VERSION to avoid warnings when using -l
 o runtests: parse data/Makefile.inc instead of using make [38]
 o runtests: skip disabled tests unless -f is used [82]
 o rustls: remove native_roots fallback [65]
 o schannel: set ALPN length correctly for HTTP/2 [24]
 o SChannel: Use '_tcsncmp()' instead [164]
 o sectransp: check for client certs by name first, then file [167]
 o setopt: fix incorrect comments [10]
 o socketpair: fix potential hangs [37]
 o socks4: scan for the IPv4 address in resolve results [124]
 o ssl: read pending close notify alert before closing the connection [9]
 o sws: malloc request struct instead of using stack [60]
 o telnet: fix option parser to not send uninitialized contents [170]
 o test1116: hyper doesn't pass through "surprise-trailers" [123]
 o test1147: hyper doesn't allow "crazy" request headers like built-in [114]
 o test1151: added missing CRLF to work with hyper [120]
 o test1216: adjusted for hyper mode [73]
 o test1218: adjusted for hyper mode [72]
 o test1230: adjust to work in hyper mode [74]
 o test1340/1341: adjusted for hyper mode [71]
 o test1438/1457: add HTTP keyword to make hyper mode work [70]
 o test1514: add a CRLF to the response to make it correct [130]
 o test1518: adjusted to work with hyper [129]
 o test1519: adjusted to work with hyper [128]
 o test1594/1595/1596: fix to work in hyper mode [69]
 o test269: disable for hyper [33]
 o test3010: work with hyper mode [67]
 o test328: avoid a header-looking body to make hyper mode work [53]
 o test339: CRLFify better to work in hyper mode [51]
 o test347: CRLFify to work in hyper mode [50]
 o test393: make Content-Length fit within 64 bit for hyper [49]
 o test394: hyper returns a different error [48]
 o test395: hyper cannot work around > 64 bit content-lengths like built-in [47]
 o test433: adjust for hyper mode [46]
 o test434: add HTTP keyword [76]
 o test500: adjust to work with hyper mode
 o test566: adjust to work with hyper mode [79]
 o test599: adjusted to work in hyper mode [77]
 o test644: remove as duplicate of test 587 [84]
 o tests: fix Accept-Encoding strips to work with Hyper builds [41]
 o TLS: prevent shutdown loops to get stuck [112]
 o tool: make _lseeki64() macro work with the PellesC compiler [163]
 o tool_help: document that --tlspassword takes a password [162]
 o tool_help: remove unused define [154]
 o url.c: remove two variable assigns that are never read [90]
 o url: (void)-prefix a curl_url_get() call [138]
 o url: bad CURLOPT_CONNECT_TO syntax now returns error [31]
 o version: turn version number functions into returning void [135]
 o vtls: exit addsessionid if no cache is inited [7]
 o vtls: fix connection reuse checks for issuer cert and case sensitivity [165]
 o vtls: only store TIMER_APPCONNECT for non-proxy connect [93]
 o vtls: use free() not curl_free() [140]
 o warnless: simplify type size handling [30]
 o Win32: fix build with Watt-32
 o winbuild/README: VC should be set to 6 'or larger' [64]
 o winbuild: support alternate nghttp2 static lib name [174]
 o wolfssl: failing to set a session id is not reason to error out [151]
 o write-out.d: clarify urlnum is not unique for de-globbed URLs [145]
 o zuul: use the new rustls directory name [141] 

[Douglas R. Reno]

CVE-2021-22922 curl: Wrong content via metalink not discarded

Wrong content via metalink not discarded
========================================

Project curl Security Advisory, July 21th 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22922.html)

VULNERABILITY
-------------

When curl is instructed to download content using the metalink feature, the
contents is verified against a hash provided in the metalink XML file.

The metalink XML file points out to the client how to get the same content
from a set of different URLs, potentially hosted by different servers and the
client can then download the file from one or several of them. In a serial or
parallel manner.

If one of the servers hosting the contents has been breached and the contents
of the specific file on that server is replaced with a modified payload, curl
should detect this when the hash of the file mismatches after a completed
download. It should remove the contents and instead try getting the contents
from another URL. This is not done, and instead such a hash mismatch is only
mentioned in text and the potentially malicious content is kept in the file on
disk.

There's a risk the user doesn't notice the message and instead assumes the
file is fine.

We are not aware of any exploit of this flaw.

INFO
----

This flaw exists only in the curl tool. libcurl is not affected.

This flaw has existed in curl since commit
[b5fdbe848bc3d](https://github.com/curl/curl/commit/b5fdbe848bc3d) in curl
7.27.0, released on July 27, 2012.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22922 to this issue.

CWE-20: Improper Input Validation

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.27.0 to and including 7.77.0
- Not affected versions: curl < 7.27.0 and curl >= 7.78.0

THE SOLUTION
------------

curl has completely removed the metalink feature as of 7.78.0. No fix for this
flaw will be produced by the curl project.

The fix for earlier versions is to rebuild curl with the metalink support
switched off!

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.78.0

 B - Make sure you do not use metalink with curl

 C - Disable metalink in your build

TIMELINE
--------

This issue was reported to the curl project on May 30, 2021.

This advisory was posted on Jul 21, 2021.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.

Thanks a lot! 

[Douglas R. Reno]

CVE-2021-22923 curl: Metalink download sends credentials

Metalink download sends credentials
===================================

Project curl Security Advisory, July 21th 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22923.html)

VULNERABILITY
-------------

When curl is instructed to get content using the metalink feature, and a user
name and password are used to download the metalink XML file, those same
credentials are then subsequently passed on to each of the servers from which
curl will download or try to download the contents from. Often contrary to the
user's expectations and intentions and without telling the user it happened.

We are not aware of any exploit of this flaw.

INFO
----

This flaw exists only in the curl tool. libcurl is not affected.

This flaw has existed in curl since commit
[b5fdbe848bc3d](https://github.com/curl/curl/commit/b5fdbe848bc3d) in curl
7.27.0, released on July 27, 2012.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22923 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.27.0 to and including 7.77.0
- Not affected versions: curl < 7.27.0 and curl >= 7.78.0

THE SOLUTION
------------

curl has completely removed the metalink feature as of 7.78.0. No fix for this
flaw will be produced by the curl project.

The fix for earlier versions is to rebuild curl with the metalink support
switched off!

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.78.0

 B - Make sure you do not use metalink with curl

 C - Disable metalink in your build

TIMELINE
--------

This issue was reported to the curl project on May 30, 2021.

This advisory was posted on Jul 21, 2021.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.

Thanks a lot! 

[Douglas R. Reno]

CVE-2021-22924 curl: bad connection reuse due to flawed path name checks

Bad connection reuse due to flawed path name checks
===================================================

Project curl Security Advisory, July 21st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22924.html)

VULNERABILITY
-------------

libcurl keeps previously used connections in a connection pool for subsequent
transfers to reuse, if one of them matches the setup.

Due to errors in the logic, the config matching function did not take 'issuer
cert' into account and it compared the involved paths *case insensitively*,
which could lead to libcurl reusing wrong connections.

File paths are, or can be, case sensitive on many systems but not all, and can
even vary depending on used file systems.

The comparison also didn't include the 'issuer cert' which a transfer can set
to qualify how to verify the server certificate.

We are not aware of any exploit of this flaw.

INFO
----

This flaw has existed in curl since commit
[89721ff04af70f](https://github.com/curl/curl/commit/89721ff04af70f) in
libcurl 7.10.4, released on April 2, 2003.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22924 to this issue.

CWE-295: Improper Certificate Validation

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.10.4 to and including 7.77.0
- Not affected versions: curl < 7.10.4 and curl >= 7.78.0

Also note that libcurl is used by many applications, and not always advertised
as such.

THE SOLUTION
------------

The SSL configs are compared appropriately.

A [fix for CVE-2021-22924](https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.78.0

 B - Apply the patch to your local version

TIMELINE
--------

This issue was reported to the curl project on June 11, 2021.

This advisory was posted on July 21, 2021.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.

Thanks a lot!

[Douglas R. Reno]

CVE-2021-22925 curl: TELNET stack contents disclosure again

TELNET stack contents disclosure again
======================================

Project curl Security Advisory, July 21st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22925.html)

VULNERABILITY
-------------

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`
in libcurl. This rarely used option is used to send variable=content pairs to
TELNET servers.

Due to flaw in the option parser for sending `NEW_ENV` variables, libcurl
could be made to pass on uninitialized data from a stack based buffer to the
server. Therefore potentially revealing sensitive internal information to the
server using a clear-text network protocol.

This could happen because curl did not call and use sscanf() correctly when
parsing the string provided by the application.

The previous curl security vulnerability
[CVE-2021-22898](https://curl.se/docs/CVE-2021-22898.html) is almost identical
to this one but the fix was insufficient so this security vulnerability
remained.

We are not aware of any exploit of this flaw.

INFO
----

This flaw has existed in curl since commit
[a1d6ad2610](https://github.com/curl/curl/commit/a1d6ad2610) in libcurl 7.7,
released on March 22, 2001. There was a previous attempt to fix this issue in
curl 7.77.0 but it was not done proper.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22925 to this issue.

CWE-457: Use of Uninitialized Variable

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.7 to and including 7.77.0
- Not affected versions: curl < 7.7 and curl >= 7.78.0

Also note that libcurl is used by many applications, and not always advertised
as such.

THE SOLUTION
------------

Use sscanf() properly and only use properly filled-in buffers.

A [fix for CVE-2021-22925](https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.78.0

 B - Apply the patch to your local version

 C - Avoid using `CURLOPT_TELNETOPTIONS`

TIMELINE
--------

This issue was reported to the curl project on June 11, 2021.

This advisory was posted on July 21, 2021.

CREDITS
-------

This issue was reported and patched by Red Hat Product Security.

Thanks a lot!

NOTE: This is a new vulnerability caused by the previous cURL release's vulnerability fix for CVE-2021-22898.

[edit to include the title]

[Douglas R. Reno]

CVE-2021-22926 curl: CURLOPT_SSLCERT mixup with Secure Transport

CURLOPT_SSLCERT mixup with Secure Transport
===========================================

Project curl Security Advisory, July 21st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22926.html)

VULNERABILITY
-------------

libcurl-using applications can ask for a specific client certificate to be
used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert`
with the command line tool).

When libcurl is built to use the macOS native TLS library Secure Transport, an
application can ask for the client certificate by name or with a file name -
using the same option. If the name exists as a file, it will be used instead
of by name.

If the appliction runs with a current working directory that is writable by
other users (like `/tmp`), a malicious user can create a file name with the
same name as the app wants to use by name, and thereby trick the application
to use the file based cert instead of the one referred to by name making
libcurl send the wrong client certificate in the TLS connection handshake.

We are not aware of any exploit of this flaw.

INFO
----

This flaw has existed in curl since commit
[d2fe616e7e](https://github.com/curl/curl/commit/d2fe616e7e) in libcurl
7.33.0, released on October 14, 2013.

The fixed libcurl version will now instead first check for a certificate in
the key chain using the specified name and only if one does not exist, it will
check for a file name.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22926 to this issue.

CWE-295: Improper Certificate Validation

Severity: Medium

AFFECTED VERSIONS
-----------------

Using libcurl on macOS built to use Secure Transport.

- Affected versions: curl 7.33.0 to and including 7.77.0
- Not affected versions: curl < 7.33.0 and curl >= 7.78.0

Also note that libcurl is used by many applications, and not always advertised
as such.

THE SOLUTION
------------

File names used in this option must contain at least one slash.

A [fix for CVE-2021-22926](https://github.com/curl/curl/commit/fd9b40bf8dfd43edcbc0d254d613d95a11061c05)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.78.0

 B - Apply the patch to your local version

 C - Do now run your application in directories where other users can inject
     files.

TIMELINE
--------

This issue was reported to the curl project on June 15, 2021.

This advisory was posted on July 21, 2021.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.

Thanks a lot!

[Tim Tassonis]

Fixed in commit f70acb8fbf

[Bruce Dubbs]

Milestone renamed