#17432 closed enhancement (fixed)
curl-7.87.0
Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | elevated | Milestone: | 11.3 |
Component: | BOOK | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New minor version. Contains two CVE fixes
Change History (6)
comment:1 by , 2 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 2 years ago
comment:3 by , 2 years ago
(I hadn't realised this ticket was taken)
The messages about impacket are from test1451 which fails to start the SMB server - I get those messages even though samba is not installed.
For ssh2, the correct optional swith to enable it is
--with-libssh2
(not --enable...) and test 1459 passes (I've got libssh2-1.10.0).
comment:4 by , 2 years ago
Release Notes:
Changes: curl: add --url-query CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit lib: add CURL_WRITEFUNC_ERROR to signal write callback error openssl: reduce CA certificate bundle reparsing by caching version: add a feature names array to curl_version_info_data Bugfixes: altsvc: fix rejection of negative port numbers aws_sigv4: consult x-%s-content-sha256 for payload hash aws_sigv4: fix typos in aws_sigv4.c base64: better alloc size base64: encode without using snprintf base64: faster base64 decoding build: assume assert.h is always available build: assume errno.h is always available c-hyper: CONNECT respones are not server responses c-hyper: fix multi-request mechanism CI: Change FreeBSD image from 12.3 to 12.4 CI: LGTM.com will be shut down in December 2022 ci: Remove zuul fuzzing job as it's superseded by CIFuzz cmake: check for cross-compile, not for toolchain CMake: fix build with `CURL_USE_GSSAPI` cmake: really enable warnings with clang cmake: set the soname on the shared library cmdline-opts/gen.pl: fix the linkifier cmdline-opts/page-footer: remove long option nroff formatting config-mac: define HAVE_SYS_IOCTL_H config-mac: fix typo: size_T -> size_t config-mac: remove HAVE_SYS_SELECT_H config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW configure: require fork for NTLM-WB contributors.sh: actually use $CURLWWW instead of just setting it cookie: compare cookie prefixes case insensitively cookie: expire cookies at once when max-age is negative cookie: open cookie jar as a binary file curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS curl-rustls.m4: on macOS, rustls also needs the Security framework curl.h: include <sys/select.h> on SerenityOS curl.h: name all public function parameters curl.h: reword comment to not use deprecated option curl: override the numeric locale and set "C" by force curl: timeout in the read callback curl_endian: remove Curl_write64_le from header curl_get_line: allow last line without newline char curl_path: do not add '/' if homedir ends with one curl_url_get.3: remove spurious backtick curl_url_set.3: document CURLU_DISALLOW_USER curl_url_set.3: fix typo CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE CURLOPT_COOKIEFILE.3: advice => advise CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw" CURLOPT_POST.3: Explain setting to 0 changes request type docs/curl_ws_send: Fixed typo in websocket docs docs/EARLY-RELEASE.md: how to determine an early release docs/examples: spell correction ('Retrieve') docs/INSTALL.md: expand on static builds docs/WEBSOCKET.md: explain the URL use docs: add missing parameters for --retry flag docs: add more "SEE ALSO" links to CA related pages docs: explain the noproxy CIDR notation support docs: extend the dump-header documentation docs: remove performance note in CURLOPT_SSL_VERIFYPEER examples/10-at-a-time: fix possible skipped final transfers examples: update descriptions ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH gen.pl: do not generate CURLHELP bitmask lines > 79 characters GHA: clarify workflows permissions, set least possible privilege GHA: NSS use clang instead of clang-9 gnutls: use common gnutls init and verify code for ngtcp2 headers: add endif comments HTTP-COOKIES.md: mention that http://localhost is a secure context HTTP-COOKIES.md: update the 6265bis link to draft-11 http: do not send PROXY more than once http: fix the ::1 comparison for IPv6 localhost for cookies http: set 'this_is_a_follow' in the Location: logic http: use the IDN decoded name in HSTS checks hyper: classify headers as CONNECT and 1XX hyper: fix handling of hyper_task's when reusing the same address idn: remove Curl_win32_ascii_to_idn INSTALL: update operating systems and CPU archs KNOWN_BUGS: remove eight entries lib1560: add some basic IDN host name tests lib: connection filters (cfilter) addition to curl: lib: feature deprecation warnings in gcc >= 4.3 lib: fix some type mismatches and remove unneeded typecasts lib: parse numbers with fixed known base 10 lib: remove bad set.opt_no_body assignments lib: rewind BEFORE request instead of AFTER previous lib: sync guard for Curl_getaddrinfo_ex() definition and use lib: use size_t or int etc instead of longs libcurl-errors.3: remove duplicate word libssh2: return error when ssh_hostkeyfunc returns error limit-rate.d: see also --rate log2changes.pl: wrap long lines at 80 columns Makefile.mk: address minor issues Makefile.mk: improve a GNU Make hack Makefile.mk: portable Makefile.m32 maketgz: set the right version in lib/libcurl.plist mime: relax easy/mime structures binding misc: Fix incorrect spelling misc: remove duplicated include files misc: typo and grammar fixes negtelnetserver.py: have it call its close() method netrc.d: provide mutext info netware: remove leftover traces noproxy: also match with adjacent comma noproxy: guard against empty hostnames in noproxy check noproxy: tailmatch like in 7.85.0 and earlier nroff-scan.pl: detect double highlights ntlm: improve comment for encrypt_des ntlm: silence ubsan warning about copying from null target_info pointer openssl/mbedtls: use %d for outputing port with failf (int) openssl: prefix errors with '[lib]/[version]: ' os400: use platform socklen_t in Curl_getnameinfo_a page-header: grammar improvement (display transfer rate) proxy: refactor haproxy protocol handling as connection filter README.md: remove badges and xmas-tree garnish rtsp: fix RTSP auth runtests: --no-debuginfod now disables DEBUGINFOD_URLS runtests: do CRLF replacements per section only scripts/checksrc.pl: detect duplicated include files sendf: change Curl_read_plain to wrap Curl_recv_plain sendf: remove unnecessary if condition setup: do not require __MRC__ defined for Mac OS 9 builds smb/telnet: do not free the protocol struct in *_done() socks: fix username max size is 255 (0xFF) spellcheck.words: remove 'github' as an accepted word ssl-reqd.d: clarify that this is for upgrading connections only strcase: use curl_str(n)equal for case insensitive matches styled-output.d: this option does not work on Windows system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS system.h: support 64-bit curl_off_t for NonStop 32-bit test1421: fix typo test3026: reduce runtime in legacy mingw builds tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+ tests: add authorityInfoAccess to generated certs tests: add HTTP/3 test case, custom location for proper nghttpx tls: backends use connection filters for IO, enabling HTTPS-proxy tool: determine the correct fopen option for -D tool_cfgable: free the ssl_ec_curves on exit tool_cfgable: make socks5_gssapi_nec a boolean tool_formparse: avoid clobbering on function params tool_getparam: make --no-get work as the opposite of --get tool_operate: provide better errmsg for -G with bad URL tool_operate: when aborting, make sure there is a non-NULL error buffer tool_paramhlp: free the proto strings on exit url: move back the IDN conversion of proxy names urlapi: reject more bad letters from the host name: &+() urldata: change port num storage to int and unsigned short vms: remove SIZEOF_SHORT vtls: fix build without proxy support vtls: localization of state data in filters WEBSOCKET.md: fix broken link Websocket: fixes for partial frames and buffer updates websockets: fix handling of partial frames windows: fail early with a missing windres in autotools windows: fix linking .rc to shared curl with autotools winidn: drop WANT_IDN_PROTOTYPES ws: if no connection is around, return error ws: return CURLE_NOT_BUILT_IN when websockets not built in x509asn1: avoid freeing unallocated pointers
CVE-2022-43551
VULNERABILITY
curl's HSTS check could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL.
The HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E). Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
Reproducible like this:
curl --hsts hsts.txt https://curl%E3%80%82se curl --hsts hsts.txt http://curl%E3%80%82se
We are not aware of any exploit of this flaw.
INFO
This flaw was introduced in commit 7385610d0c7, which was shipped enabled by default from commit d71ff2b9db566b3f in curl 7.77.0.
This issue is similar to both the previous issues CVE-2022-42916 and CVE-2022-30115.
This became a new separate vulnerability simply because we did not properly test and research related side-issues while we worked on fixing the previous issues.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-43551 to this issue.
CWE-319: Cleartext Transmission of Sensitive Information
Severity: Medium
AFFECTED VERSIONS
Affected versions: curl 7.77.0 to and including 7.86.0
Not affected versions: curl < 7.77.0 and curl >= 7.87.0
curl built without IDN support is not vulnerable.
libcurl is used by many applications, but not always advertised as such! THE SOLUTION
A fix for CVE-2022-43551
RECOMMENDATIONS
A - Upgrade curl to version 7.87.0
B - Apply the patch to your local version
C - Stick to always using HTTPS:// in URLs
TIMELINE
This issue was reported to the curl project on October 29, 2022. We contacted distros@openwall on December 12, 2022.
curl 7.87.0 was released on December 21 2022, coordinated with the publication of this advisory.
CVE-2022-43552
VULNERABILITY
curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code.
When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.
We are not aware of any exploit of this flaw.
INFO
This flaw was introduced for TELNET in commit b7eeb6e67fca68 in September 7, 2006. The SMB part was introduced in 2014 with commit aec2e865f06669.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-43552 to this issue.
CWE-416: Use After Free
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.16.0 to and including 7.86.0
Not affected versions: curl < 7.16.0 and curl >= 7.87.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
A fix for CVE-2022-43552
RECOMMENDATIONS
A - Upgrade curl to version 7.87.0
B - Apply the patch to your local version
C - Avoid using SMB and TELNET or disable HTTP proxy use
TIMELINE
This issue was reported to the curl project on November 7, 2022. We contacted distros@openwall on December 12, 2022.
curl 7.87.0 was released on December 21 2022, coordinated with the publication of this advisory.
comment:5 by , 2 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Fixed at 0516cd2902cf3c7ce5a18f8459f822d3bcafe216
Security advisory coming shortly
For me, with the book's configuration on a system just after 11.2 was released, with brotli, c-ares, gnutls, libidn2, libssh2 (off for this build) and nghttp2 I get:
Looking at the reported failures from missing deps, these (tests/data/testNNNN) are:
test1140 - verify the nroff of man pages
test1173 - Man page syntax checks
test1177 - Verify that feature names and CURL_VERSION_* in lib and docs are in sync
So the message as currently written is wrong.