curl-7.85.0

[Douglas R. Reno]

New point version released in coordination with a CVE

The CVE is marked as Low though, and even though it's easy to exploit due to it being related to processing cookies when connecting to HTTP(S) sites, it would require far too much retesting to update a day or two before release.

[Douglas R. Reno]

Changelog:

Changes:

    quic: add support via wolfSSL
    schannel: Add TLS 1.3 support
    setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR 

Bugfixes:

    amigaos: fix threaded resolver on AmigaOS 4.x
    amissl: allow AmiSSL to be used with AmigaOS 4.x builds
    amissl: make AmiSSL v5 a minimum requirement
    asyn-ares: make a single alloc out of hostname + async data
    asyn-thread: fix socket leak on OOM
    asyn-thread: make getaddrinfo_complete return CURLcode
    base64: base64url encoding has no padding
    BUGS.md: improve language
    build: improve OS string in CMake and `config-win32.h`
    cert.d: clarify that escape character works for file paths
    cirrus.yml: replace py38-pip with py39-pip
    cirrus/freebsd-ci: bootstrap the pip installer
    cmake: add detection of threadsafe feature
    cmake: do not force Windows target versions
    cmake: fix build for mingw cross compile
    cmake: link curl to its dependencies with PRIVATE
    cmake: remove APPEND in export(TARGETS)
    cmake: set feature PSL if present
    cmake: support ngtcp2 boringssl backend
    cmdline-opts/gen.pl: improve performance
    config: remove the check for and use of SIZEOF_SHORT
    configure: -pthread not available on AmigaOS 4.x
    configure: check for the stdatomic.h header in configure
    configure: fix --disable-headers-api
    configure: fix broken m4 syntax in TLS options
    configure: fixup bsdsocket detection code for AmigaOS 4.x
    configure: if asked to use TLS, fail if no TLS lib was detected
    configure: introduce CURL_SIZEOF
    connect: add quic connection information
    connect: close the happy eyeballs loser connection when using QUIC
    connect: revert the use of IP*_RECVERR
    connect: set socktype/protocol correctly
    cookie: reject cookies with "control bytes"
    cookie: treat a blank domain in Set-Cookie: as non-existing
    cookie: use %zu to infof() for size_t values
    curl-compilers.m4: make icc use -diag* options and disable two warnings
    curl-config: quote directories with potential space
    curl-confopts: remove leftover AC_REQUIREs
    curl-functions.m4: check whether atomics can link
    curl-wolfssl.m4: add options header when building test code
    curl.h: CURLE_CONV_FAILED is obsoleted
    curl.h: include <sys/select.h> on SunOS
    curl: output warning when a cookie is dropped due to size
    curl: writeout: fix repeated header outputs
    Curl_close: call Curl_resolver_cancel to avoid memory-leak
    curl_easy_header: Add CURLH_PSEUDO to sanity check
    curl_mime_data.3: polish the wording
    curl_multi_timeout.3: clarify usage
    CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples
    CURLOPT_BUFFERSIZE.3: add upload buffersize to see also
    CURLOPT_CONNECT_ONLY.3: clarify multi API use
    CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name
    digest: fix memory leak, fix not quoted 'opaque'
    digest: fix missing increment of 'nc' value for auth-int
    digest: pass over leading spaces in qop values
    digest: reject broken header with session protocol but without qop
    docs/cmdline-opts/gen.pl: encode leading single and double quotes
    docs/cmdline-opts: fix example and categories for --form-escape
    docs/cmdline: mark fail and fail-with-body as mutually exclusive
    docs: add dns category to --resolve
    docs: explain curl_easy_escape/unescape curl handle is ignored
    docs: remove him/her/he/she from documentation
    doh: move doh related struct definitions to doh.h
    doh: use https protocol by default
    easy_lock.h: include sched.h if available to fix build
    easy_lock.h: use __asm__ instead of asm to fix build
    easy_lock: fix build for mingw
    easy_lock: fix build with icc
    easy_lock: fix the #ifdef conditional for ia32_pause
    easy_lock: switch to using atomic_int instead of bool
    easyoptions: fix icc warning
    escape: remove outdated comment
    examples/curlx.c: remove
    file: add handling of native AmigaOS paths
    file: fix icc enumerated type mixed with another type warning
    ftp: use a correct expire ID for timer expiry
    getinfo: return better error on NULL as first argument
    GHA: add two Intel compiler CI jobs
    GHA: move libressl CI from zuul to GitHub
    gha: move over ngtcp2-gnutls CI job from zuul
    GHA: mv CI torture test from Zuul
    h2h3: fix overriding the 'TE: Trailers' header
    hostip: resolve *.localhost to 127.0.0.1/::1
    HTTP3.md: update to msh3 v0.4.0
    http: typecast the httpreq assignment to avoid icc compiler warning
    http_aws_sigv4.c: remove two unusued includes
    http_chunks: remove an assign + typecast
    hyper: customize test1274 to how hyper unfolds headers
    hyper: enable obs-folded multiline headers
    hyper: use wakers for curl pause/resume
    imap: use ISALNUM() for alphanumeric checks
    ldap: adapt to conn->port now being an 'int'
    lib/curl_path.c: add ISC to license expression
    lib3026: reduce the number of threads to 100
    libcurl-security.3: fix typo on macro "SH_"
    libssh2: make atime/mtime date overflow return error
    libssh2: provide symlink name in SFTP dir listing
    libssh: ignore deprecation warnings
    libssh: make atime/mtime date overflow return error
    Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip]
    Makefile.m32: add `NGTCP2_LIBS` option [ci skip]
    makefile.m32: add support for custom ARCH [ci skip]
    Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip]
    Makefile.m32: do not set the libcurl.rc debug flag [ci skip]
    Makefile.m32: stop trying to build libcares.a [ci skip]
    memdebug: add annotation attributes
    mprintf: fix *dyn_vprintf() when out-of-memory
    mprintf: make dprintf_formatf never return negative
    msh3: fix the QUIC disconnect function
    multi: fix the return code from Curl_pgrsDone()
    multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
    multi: use a pipe instead of a socketpair on apple platforms
    multi: use larger dns hash table for multi interface
    multi_wait: fix and improve Curl_poll error handling on Windows
    multi_wait: fix skipping to populate revents for extra_fds
    netrc.d: remove spurious quote
    netrc: Use the password from lines without login
    ngtcp2: Fix build error due to change in nghttp3 prototypes
    ngtcp2: fix incompatible function pointer types
    ngtcp2: Fix missing initialization of nghttp3_nv.flags
    ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
    ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
    openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL
    openssl: add cert path in error message
    openssl: add details to "unable to set client certificate" error
    openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
    quiche: fix build failure
    select: do not return fatal error on EINTR from poll()
    sendf: fix paused header writes since after the header API
    sendf: make Curl_debug a void function
    sendf: skip storing HTTP headers if HTTP disabled
    sendf: store the header type in an usigned char to avoid icc warnings
    splay: avoid using -1 in unsigned variable
    test3026: add support for Windows using native Win32 threads
    test3026: require 'threadsafe'
    test44[2-4]: add '--resolve' to the keywords
    tests/server/sockfilt.c: avoid race condition without a mutex
    tests: fix http2 tests to use CRLF headers
    tests: several enumerated type cleanups
    THANKS: merged two entries for Evgeny Grin
    tidy-up: delete unused build configuration macros
    tool: reintroduce set file comment code for AmigaOS
    tool_cfgable: make 'synthetic_error' a plain bool
    tool_formparse: fix variable may be used before its value is set
    tool_getparam: make --doh-url "" switch it off
    tool_getparam: repair cleanarg
    tool_operate: better cleanup of easy handle in exit path
    tool_paramhlp: fix "enumerated type mixed with another type"
    tool_paramhlp: make check_protocol return ParameterError
    tool_progress: avoid division by zero in parallel progress meter
    tool_writeout: fix enumerated type mixed with another type
    trace: 0x7F character is non-printable
    unit1303: four tests should have TRUE for 'connecting'
    url: enumerated type mixed with another type
    url: really use the user provided in the url when netrc entry exists
    url: reject URLs with hostnames longer than 65535 bytes
    url: treat missing usernames in netrc as empty
    urldata: change second proxytype field to unsigned char to match
    urldata: make 'negnpn' use less storage
    urldata: make state.httpreq an unsigned char
    urldata: make three *_proto struct fields smaller
    urldata: move smaller fields down in connectdata struct
    urldata: reduce size of several struct fields
    vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
    windows: improve random source 

Security Advisory:

---

CVE-2022-35252: control code in cookie denial of service

Project curl Security Advisory, August 31 2022

VULNERABILITY

When curl retrieves and parses cookies from an HTTP(S) server, it accepts cookies using control codes (byte values below 32). When cookies that contain such control codes are later sent back to an HTTP(S) server, it might make the server return a 400 response. Effectively allowing a "sister site" to deny service to siblings.

We are not aware of any exploit of this flaw.

INFO

This flaw in the code was initially introduced in curl 4.9 but HTTP(S) servers back then did not generally reject requests using control codes so this mistake did not actually cause problems until HTTP(S) servers started doing this much later. Different server implementations of course doing it at different times (with some also still accepting them just fine).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-35252 to this issue.

CWE-1286: Improper Validation of Syntactic Correctness of Input

Severity: Low

AFFECTED VERSIONS

Affected versions: curl 4.9 to and including 7.84.0 Not affected versions: curl < 4.9 and curl >= 7.85.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION

fix for CVE-2022-35252

RECOMMENDATIONS

A - Upgrade curl to version 7.85.0

B - Apply the patch to your local version

C - Do not enable the cookie engine

TIMELINE

This issue was reported to the curl project on June 26, 2022. We contacted distros@openwall on August 22.

libcurl 7.85.0 was released on August 31 2022, coordinated with the publication of this advisory.

[Douglas R. Reno]

Fixed at d608866be8a17818409c22b2c97ef0d59152ccdc

[Douglas R. Reno]

SA-11.2-002 issued.