#17432 closed enhancement (fixed)
curl-7.87.0
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version. Contains two CVE fixes
Change History (6)
comment:1 by , 16 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 16 months ago
comment:3 by , 16 months ago
(I hadn't realised this ticket was taken)
The messages about impacket are from test1451 which fails to start the SMB server - I get those messages even though samba is not installed.
For ssh2, the correct optional swith to enable it is
--with-libssh2
(not --enable...) and test 1459 passes (I've got libssh2-1.10.0).
comment:4 by , 16 months ago
Release Notes:
Changes:
curl: add --url-query
CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
lib: add CURL_WRITEFUNC_ERROR to signal write callback error
openssl: reduce CA certificate bundle reparsing by caching
version: add a feature names array to curl_version_info_data
Bugfixes:
altsvc: fix rejection of negative port numbers
aws_sigv4: consult x-%s-content-sha256 for payload hash
aws_sigv4: fix typos in aws_sigv4.c
base64: better alloc size
base64: encode without using snprintf
base64: faster base64 decoding
build: assume assert.h is always available
build: assume errno.h is always available
c-hyper: CONNECT respones are not server responses
c-hyper: fix multi-request mechanism
CI: Change FreeBSD image from 12.3 to 12.4
CI: LGTM.com will be shut down in December 2022
ci: Remove zuul fuzzing job as it's superseded by CIFuzz
cmake: check for cross-compile, not for toolchain
CMake: fix build with `CURL_USE_GSSAPI`
cmake: really enable warnings with clang
cmake: set the soname on the shared library
cmdline-opts/gen.pl: fix the linkifier
cmdline-opts/page-footer: remove long option nroff formatting
config-mac: define HAVE_SYS_IOCTL_H
config-mac: fix typo: size_T -> size_t
config-mac: remove HAVE_SYS_SELECT_H
config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
configure: require fork for NTLM-WB
contributors.sh: actually use $CURLWWW instead of just setting it
cookie: compare cookie prefixes case insensitively
cookie: expire cookies at once when max-age is negative
cookie: open cookie jar as a binary file
curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
curl-rustls.m4: on macOS, rustls also needs the Security framework
curl.h: include <sys/select.h> on SerenityOS
curl.h: name all public function parameters
curl.h: reword comment to not use deprecated option
curl: override the numeric locale and set "C" by force
curl: timeout in the read callback
curl_endian: remove Curl_write64_le from header
curl_get_line: allow last line without newline char
curl_path: do not add '/' if homedir ends with one
curl_url_get.3: remove spurious backtick
curl_url_set.3: document CURLU_DISALLOW_USER
curl_url_set.3: fix typo
CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
CURLOPT_COOKIEFILE.3: advice => advise
CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"
CURLOPT_POST.3: Explain setting to 0 changes request type
docs/curl_ws_send: Fixed typo in websocket docs
docs/EARLY-RELEASE.md: how to determine an early release
docs/examples: spell correction ('Retrieve')
docs/INSTALL.md: expand on static builds
docs/WEBSOCKET.md: explain the URL use
docs: add missing parameters for --retry flag
docs: add more "SEE ALSO" links to CA related pages
docs: explain the noproxy CIDR notation support
docs: extend the dump-header documentation
docs: remove performance note in CURLOPT_SSL_VERIFYPEER
examples/10-at-a-time: fix possible skipped final transfers
examples: update descriptions
ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
gen.pl: do not generate CURLHELP bitmask lines > 79 characters
GHA: clarify workflows permissions, set least possible privilege
GHA: NSS use clang instead of clang-9
gnutls: use common gnutls init and verify code for ngtcp2
headers: add endif comments
HTTP-COOKIES.md: mention that http://localhost is a secure context
HTTP-COOKIES.md: update the 6265bis link to draft-11
http: do not send PROXY more than once
http: fix the ::1 comparison for IPv6 localhost for cookies
http: set 'this_is_a_follow' in the Location: logic
http: use the IDN decoded name in HSTS checks
hyper: classify headers as CONNECT and 1XX
hyper: fix handling of hyper_task's when reusing the same address
idn: remove Curl_win32_ascii_to_idn
INSTALL: update operating systems and CPU archs
KNOWN_BUGS: remove eight entries
lib1560: add some basic IDN host name tests
lib: connection filters (cfilter) addition to curl:
lib: feature deprecation warnings in gcc >= 4.3
lib: fix some type mismatches and remove unneeded typecasts
lib: parse numbers with fixed known base 10
lib: remove bad set.opt_no_body assignments
lib: rewind BEFORE request instead of AFTER previous
lib: sync guard for Curl_getaddrinfo_ex() definition and use
lib: use size_t or int etc instead of longs
libcurl-errors.3: remove duplicate word
libssh2: return error when ssh_hostkeyfunc returns error
limit-rate.d: see also --rate
log2changes.pl: wrap long lines at 80 columns
Makefile.mk: address minor issues
Makefile.mk: improve a GNU Make hack
Makefile.mk: portable Makefile.m32
maketgz: set the right version in lib/libcurl.plist
mime: relax easy/mime structures binding
misc: Fix incorrect spelling
misc: remove duplicated include files
misc: typo and grammar fixes
negtelnetserver.py: have it call its close() method
netrc.d: provide mutext info
netware: remove leftover traces
noproxy: also match with adjacent comma
noproxy: guard against empty hostnames in noproxy check
noproxy: tailmatch like in 7.85.0 and earlier
nroff-scan.pl: detect double highlights
ntlm: improve comment for encrypt_des
ntlm: silence ubsan warning about copying from null target_info pointer
openssl/mbedtls: use %d for outputing port with failf (int)
openssl: prefix errors with '[lib]/[version]: '
os400: use platform socklen_t in Curl_getnameinfo_a
page-header: grammar improvement (display transfer rate)
proxy: refactor haproxy protocol handling as connection filter
README.md: remove badges and xmas-tree garnish
rtsp: fix RTSP auth
runtests: --no-debuginfod now disables DEBUGINFOD_URLS
runtests: do CRLF replacements per section only
scripts/checksrc.pl: detect duplicated include files
sendf: change Curl_read_plain to wrap Curl_recv_plain
sendf: remove unnecessary if condition
setup: do not require __MRC__ defined for Mac OS 9 builds
smb/telnet: do not free the protocol struct in *_done()
socks: fix username max size is 255 (0xFF)
spellcheck.words: remove 'github' as an accepted word
ssl-reqd.d: clarify that this is for upgrading connections only
strcase: use curl_str(n)equal for case insensitive matches
styled-output.d: this option does not work on Windows
system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
system.h: support 64-bit curl_off_t for NonStop 32-bit
test1421: fix typo
test3026: reduce runtime in legacy mingw builds
tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
tests: add authorityInfoAccess to generated certs
tests: add HTTP/3 test case, custom location for proper nghttpx
tls: backends use connection filters for IO, enabling HTTPS-proxy
tool: determine the correct fopen option for -D
tool_cfgable: free the ssl_ec_curves on exit
tool_cfgable: make socks5_gssapi_nec a boolean
tool_formparse: avoid clobbering on function params
tool_getparam: make --no-get work as the opposite of --get
tool_operate: provide better errmsg for -G with bad URL
tool_operate: when aborting, make sure there is a non-NULL error buffer
tool_paramhlp: free the proto strings on exit
url: move back the IDN conversion of proxy names
urlapi: reject more bad letters from the host name: &+()
urldata: change port num storage to int and unsigned short
vms: remove SIZEOF_SHORT
vtls: fix build without proxy support
vtls: localization of state data in filters
WEBSOCKET.md: fix broken link
Websocket: fixes for partial frames and buffer updates
websockets: fix handling of partial frames
windows: fail early with a missing windres in autotools
windows: fix linking .rc to shared curl with autotools
winidn: drop WANT_IDN_PROTOTYPES
ws: if no connection is around, return error
ws: return CURLE_NOT_BUILT_IN when websockets not built in
x509asn1: avoid freeing unallocated pointers
CVE-2022-43551
VULNERABILITY
curl's HSTS check could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL.
The HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E). Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
Reproducible like this:
curl --hsts hsts.txt https://curl%E3%80%82se curl --hsts hsts.txt http://curl%E3%80%82se
We are not aware of any exploit of this flaw.
INFO
This flaw was introduced in commit 7385610d0c7, which was shipped enabled by default from commit d71ff2b9db566b3f in curl 7.77.0.
This issue is similar to both the previous issues CVE-2022-42916 and CVE-2022-30115.
This became a new separate vulnerability simply because we did not properly test and research related side-issues while we worked on fixing the previous issues.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-43551 to this issue.
CWE-319: Cleartext Transmission of Sensitive Information
Severity: Medium
AFFECTED VERSIONS
Affected versions: curl 7.77.0 to and including 7.86.0
Not affected versions: curl < 7.77.0 and curl >= 7.87.0
curl built without IDN support is not vulnerable.
libcurl is used by many applications, but not always advertised as such! THE SOLUTION
A fix for CVE-2022-43551
RECOMMENDATIONS
A - Upgrade curl to version 7.87.0
B - Apply the patch to your local version
C - Stick to always using HTTPS:// in URLs
TIMELINE
This issue was reported to the curl project on October 29, 2022. We contacted distros@openwall on December 12, 2022.
curl 7.87.0 was released on December 21 2022, coordinated with the publication of this advisory.
CVE-2022-43552
VULNERABILITY
curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code.
When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.
We are not aware of any exploit of this flaw.
INFO
This flaw was introduced for TELNET in commit b7eeb6e67fca68 in September 7, 2006. The SMB part was introduced in 2014 with commit aec2e865f06669.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-43552 to this issue.
CWE-416: Use After Free
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.16.0 to and including 7.86.0
Not affected versions: curl < 7.16.0 and curl >= 7.87.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
A fix for CVE-2022-43552
RECOMMENDATIONS
A - Upgrade curl to version 7.87.0
B - Apply the patch to your local version
C - Avoid using SMB and TELNET or disable HTTP proxy use
TIMELINE
This issue was reported to the curl project on November 7, 2022. We contacted distros@openwall on December 12, 2022.
curl 7.87.0 was released on December 21 2022, coordinated with the publication of this advisory.
comment:5 by , 16 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 0516cd2902cf3c7ce5a18f8459f822d3bcafe216
Security advisory coming shortly
For me, with the book's configuration on a system just after 11.2 was released, with brotli, c-ares, gnutls, libidn2, libssh2 (off for this build) and nghttp2 I get:
Looking at the reported failures from missing deps, these (tests/data/testNNNN) are:
test1140 - verify the nroff of man pages
test1173 - Man page syntax checks
test1177 - Verify that feature names and CURL_VERSION_* in lib and docs are in sync
So the message as currently written is wrong.