curl-8.0.1

[Xi Ruoyao]

New "major" version.

"major" quoted because the major version number seems only bumped as a celebration.

[Xi Ruoyao]

With gssapi and libssh2 enabled:

TESTDONE: 1361 tests out of 1361 reported OK: 100%

[Xi Ruoyao]

curl and libcurl 8.0.0

• Public curl releases: 215
• Command line options: 250
• curl_easy_setopt() options: 302
• Public functions in libcurl: 91
• Contributors: 2841

This release includes the following changes:

• build: remove support for curl_off_t < 8 bytes [19]

This release includes the following bugfixes:

• .cirrus.yml: Bump to FreeBSD 13.2 [9]
• aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 [112]
• BINDINGS: add Fortran binding [33]
• build: drop the use of XC_AMEND_DISTCLEAN [62]
• build: fix stdint/inttypes detection with non-autotools [120]
• cf-socket: fix handling of remote addr for accepted tcp sockets [17]
• cf-socket: if socket is already connected, return CURLE_OK [69]
• cf-socket: use port 80 when resolving name for local bind [109]
• CI: don't run CI jobs if only another CI was changed [92]
• CI: update ngtcp2 and nghttp2 for pytest [13]
• cmake: delete unused HAVESTRTOI64 [117]
• cmake: fix enabling LDAPS on Windows [55]
• cmake: skip CA-path/bundle auto-detection in cross-builds [57]
• connect: fix time_connect and time_appconnect timer statistics [90]
• cookie: don't load cookies again when flushing [91]
• cookie: parse without sscanf()
• curl.h: require gcc 12.1 for the deprecation magic [110]
• curl: make -w's %{stderr} use the file set with --stderr [30]
• curl_path: create the new path with dynbuf [99]
• CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections [10]
• CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket [102]
• CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe [103]
• DEPRECATE: the original legacy mingw version 1 [43]
• doc: fix compiler warning in libcurl.m4 [82]
• docs/cmdline-opts: mark all global options [6]
• docs/SECURITY-PROCESS.md: updates [67]
• docs: extend the URL API descriptions [85]
• docs: note '--data-urlencode' option [7]
• DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure [70]
• easy: remove infof() debug leftover from curl_easy_recv [44]
• examples/http3.c: use CURL_HTTP_VERSION_3 [46]
• ftp: active mode with SSL, add the filter [84]
• ftp: add more conditions for connection reuse [74]
• ftp: allocate the wildcard struct on demand [59]
• ftp: make the EPSV response parser not use sscanf [25]
• ftp: replace sscanf for MDTM 213 response parsing [23]
• ftp: replace sscanf for PASV parsing [24]
• gssapi: align gss_OID_desc to silence ld warnings on macOS ventura [58]
• headers: make curl_easy_header and nextheader return different buffers [77]
• hostip: avoid sscanf and extra buffer copies [42]
• http2: fix error handling during parallel operations [96]
• http2: fix for http2-prior-knowledge when reusing connections [14]
• http2: fix handling of RST and GOAWAY to recognize partial transfers [88]
• http2: fix upload busy loop [71]
• http: don't send 100-continue for short PUT requests [93]
• http: fix unix domain socket use in https connects [28]
• http: rewrite the status line parser without sscanf [29]
• http_proxy: parse the status line without sscanf [16]
• idn: return error if the conversion ends up with a blank host [45]
• krb5: avoid sscanf for parsing [18]
• lib1560: test parsing URLs with ridiculously large fields [60]
• lib2305: deal with CURLE_AGAIN [122]
• lib517: verify time stamps without leading zeroes plus some more
• lib: silence clang/gcc -Wvla warnings in brotli headers [98]
• lib: skip Curl_llist_destroy calls [108]
• libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3 [39]
• libssh2: only set the memory callbacks when debugging [65]
• libssh2: remove unused variable from libssh2's struct [124]
• libssh: use dynbuf instead of realloc [121]
• Makefile.mk: delete redundant HAVE_LDAP_SSL macro [56]
• Makefile.mk: fix -g option in debug mode [81]
• mqtt: on send error, return error [40]
• multi: make multi_perform ignore/unignore signals less often [116]
• multi: remove PENDING + MSGSENT handles from the main linked list [105]
• ngtcp2-gnutls.yml: bump to gnutls 3.8.0 [11]
• ngtcp2: fix unwanted close of file descriptor 0 [26]
• page-footer: add explanation for three missing exit codes [37]
• parsedate: parse strings without using sscanf() [2]
• parsedate: replace sscanf( for time stamp parsing [1]
• quic/schannel: fix compiler warnings [36]
• rand: use arc4random as fallback when available [48]
• rate.d: single URLs make no sense in --rate example [38]
• RELEASE-PROCEDURE.md: update coming release dates
• rtsp: avoid sscanf for parsing [15]
• runtests: use a hash table for server port numbers [51]
• sectransp: fix compiler warning c89 mixed code/declaration [32]
• sectransp: make read_cert() use a dynbuf when loading [72]
• secure-transport: fix recv return code handling [114]
• select: stop treating POLLRDBAND as an error [27]
• setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct [35]
• socket: detect "dead" connections better, e.g. not fit for reuse [66]
• src: silence wmain() warning for all build methods [95]
• telnet: only accept option arguments in ascii [104]
• telnet: parse NEW_ENVIRON without sscanf [20]
• telnet: parse telnet options without sscanf [22]
• telnet: parse the WS= argument without sscanf [21]
• test1470: test socks proxy using unix sockets and connect to https [63]
• test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED [64]
• test2600: detect when ALARM_TIMEOUT is in use and adjust [34]
• test422: verify --next used without a prior URL [115]
• tests/http: add pytest to GHA and improve tests [118]
• tests: add cookies features [68]
• tests: add timeout, SLOWDOWN and DELAY keywords to tests
• tests: fix gnutls-serv check [53]
• tests: fix MSVC unreachable code warnings in unit tests
• tests: hack to build most unit tests under cmake [94]
• tests: HTTP server fixups [3]
• tests: keep cmake unit tests names in sync
• tests: make CPPFLAGS common to all unit tests
• tests: make first.c the same for both lib tests and unit tests [75]
• tests: support for imaps/pop3s/smtps protocols [50]
• tests: sync option lists in runtests.pl & its man page
• tests: test secure mail protocols with explicit SSL requests [49]
• tests: use AM_CPPFILES to modify flags in unit tests
• tests: use dynamic ports numbers in pytest suite [89]
• tool: dump headers even if file is write-only [52]
• tool: improve --stderr handling [83]
• tool_getparam: don't add a new node for just --no-remote-name [5]
• tool_getparam: error if --next is used without a prior URL [119]
• tool_operate: avoid fclose(NULL) on bad header dump file [12]
• tool_operate: propagate error codes for missing URL after --next [4]
• tool_progress: shut off progress meter for --silent in parallel [8]
• tool_writeout_json. fix the output for duplicate header names [76]
• transfer: limit Windows SO_SNDBUF updates to once a second [73]
• url: fix cookielist memleak when curl_easy_reset [106]
• url: fix logic in connection reuse to deny reuse on "unclean" connections [86]
• url: fix the SSH connection reuse check [101]
• url: only reuse connections with same GSS delegation [97]
• url: remove dummy protocol handler [100]
• urlapi: '%' is illegal in host names [80]
• urlapi: avoid mutating internals in getter routine [79]
• urlapi: parse IPv6 literals without ENABLE_IPV6 [61]
• urlapi: take const args in _dup and _get functions [78]
• wildcard: remove files and move functions into ftplistparser.c
• winbuild: fix makefile clean [31]
• wolfssl: add quic/ngtcp2 detection in cmake, and fix builds [113]
• wolfSSL: ressurect the BIO io_result [54]
• ws: keep the socket non-blocking [41]
• x509asn1.c: use correct format specifier for infof() call [47]
• x509asn1: use plain %x, not %lx, when the arg is an int [87]

This release includes the following known bugs:

• see docs/KNOWN_BUGS (​https://curl.se/docs/knownbugs.html)

Planned upcoming removals include:

• gskit
• NSS
• support for space-separated NOPROXY patterns
• support for the original legacy mingw version 1

[Douglas R. Reno]

Now 8.0.1

[Tim Tassonis]

Changelog: fix crash in curl_easy_cleanup

[Xi Ruoyao]

8.0.1:

This release includes the following bugfixes:

• Revert "multi: remove PENDING + MSGSENT handles"

[Douglas R. Reno]

CVE-2023-27538

CVE-2023-27538: SSH connection too eager reuse still

Project curl Security Advisory, March 20th 2023

VULNERABILITY

libcurl would reuse a previously created connection even when an SSH related option had 
been changed that should have prohibited reuse.

libcurl keeps previously used connections in a connection pool for subsequent transfers 
to reuse if one of them matches the setup. However, two SSH settings were left out from 
the configuration match checks, making them match too easily.

We are not aware of any exploit of this flaw.

INFO

These are the options that were not considered in the check, so curl would reuse a 
connection even if the subsequent transfer would have changed one or more of these 
options.

    CURLOPT_SSH_PUBLIC_KEYFILE
    CURLOPT_SSH_PRIVATE_KEYFILE

This flaw was initially introduced in curl 7.16.1.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2023-27538 to this issue.

This vulnerability is partially identical to CVE-2022-27782 since the fix for that 
previous issue was bad and did not actually correct the problem for these SSH options.

CWE-305: Authentication Bypass by Primary Weakness

The previos flaw CVE-2022-27782 was set to severity Medium, but since this is a partial 
of that and affects only two options that rarely will change with the expectation that 
the user will be different, this time we set it severity Low.

Severity: Low

AFFECTED VERSIONS

    Affected versions: curl 7.16.1 to and including 7.88.1
    Not affected versions: curl < 7.16.1 and curl >= 8.0.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION

The fix for CVE-2023-27538

RECOMMENDATIONS

A - Upgrade curl to version 8.0.0

B - Apply the patch to your local version

C - Avoid SCP and SFTP transfers

TIMELINE

This issue was reported to the curl project on March 9 2023. We contacted 
distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of this 
advisory.

CVE-2023-23757

CVE-2023-27537: HSTS double-free

Project curl Security Advisory, March 20th 2023

VULNERABILITY

libcurl supports sharing HSTS data between separate "handles". This sharing was 
introduced without considerations for do this sharing across separate threads but there 
was no indication of this fact in the documentation.

Due to missing mutexes or thread locks, two threads sharing the same HSTS data could 
end up doing a double-free or use-after-free.

We are not aware of any exploit of this flaw.

INFO

This feature was not implemented to support sharing between threads. That is still left 
for future improvements. The fix for this issue is therefore a documentation update 
clarifying that sharing HSTS between threads is not expected to work.

CVE-2023-27537 was introduced in commit 076a2f629119222a, shipped in curl 7.88.0.

CWE-415: Double Free

Severity: Low

Severity is set to Low because

    Not widely used functionality
    The timing necessary to trigger this has to match fairly exact
    Exploitation this for anything but denial of service is difficult

AFFECTED VERSIONS

    Affected versions: curl 7.88.0 to and including 7.88.1
    Not affected versions: curl < 7.88.0 and curl >= 8.0.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION

A fix for CVE-2023-27537

RECOMMENDATIONS

A - Do not share HSTS data between threads

TIMELINE

This issue was reported to the curl project on March 8 2023. We contacted 
distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of this 
advisory.

CVE-2023-27536

CVE-2023-27536: GSS delegation too eager connection re-use

Project curl Security Advisory, March 20th 2023

VULNERABILITY

libcurl would reuse a previously created connection even when the GSS delegation 
(CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user's 
permissions in a second transfer.

libcurl keeps previously used connections in a connection pool for subsequent transfers 
to reuse if one of them matches the setup. However, this GSS delegation setting was 
left out from the configuration match checks, making them match too easily, affecting 
krb5/kerberos/negotiate/GSSAPI transfers.

We are not aware of any exploit of this flaw.

INFO

CVE-2023-27536 was introduced in commit ebf42c4be76df4, shipped in curl 7.22.0.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Low

AFFECTED VERSIONS

    Affected versions: curl 7.22.0 to and including 7.88.1
    Not affected versions: curl < 7.22.0 and curl >= 8.0.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION

A fix for CVE-2023-27536

RECOMMENDATIONS

A - Upgrade curl to version 8.0.0

B - Apply the patch to your local version

C - Do not use the CURLOPT_GSSAPI_DELEGATION option

TIMELINE

This issue was reported to the curl project on March 7, 2023. We contacted 
distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of this 
advisory.

CVE-2023-27535

CVE-2023-27535: FTP too eager connection reuse

Project curl Security Advisory, March 20th 2023

VULNERABILITY

libcurl would reuse a previously created FTP connection even when one or more options 
had been changed that could have made the effective user a very different one, thus 
leading to the doing the second transfer with wrong credentials.

libcurl keeps previously used connections in a connection pool for subsequent transfers 
to reuse if one of them matches the setup. However, several FTP settings were left out 
from the configuration match checks, making them match too easily. The settings in 
questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC 
and CURLOPT_USE_SSL level.

We are not aware of any exploit of this flaw.

INFO

CVE-2023-27535 was introduced in commit 177dbc7be07125582, shipped in curl 7.13.0.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Medium

AFFECTED VERSIONS

    Affected versions: curl 7.13.0 to and including 7.88.1
    Not affected versions: curl < 7.13.0 and curl >= 8.0.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION

A fix for CVE-2023-27535

RECOMMENDATIONS

A - Upgrade curl to version 8.0.0

B - Apply the patch to your local version

TIMELINE

This issue was reported to the curl project on March 5, 2023. We contacted 
distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of this 
advisory.

CVE-2023-27534

CVE-2023-27534: SFTP path ~ resolving discrepancy

Project curl Security Advisory, March 20th 2023

VULNERABILITY

curl supports SFTP transfers. curl's SFTP implementation offers a special feature in 
the path component of URLs: a tilde (~) character as the first path element in the path 
to denotes a path relative to the user's home directory. This is supported because of 
wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs 
work.

Due to a bug, the handling of the tilde in SFTP path did however not only replace it 
when it is used stand-alone as the first path element but also wrongly when used as a 
mere prefix in the first element.

Using a path like /~2/foo when accessing a server using the user dan (with home 
directory /home/dan) would then quite surprisingly access the file /home/dan2/foo.

This can be taken advantage of to circumvent filtering or worse.

We are not aware of any exploit of this flaw.

INFO

CVE-2023-27534 was introduced in commit ba6f20a244, shipped in curl 7.18.0.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory

Severity: Low

AFFECTED VERSIONS

    Affected versions: curl 7.18.0 to and including 7.88.1
    Not affected versions: curl < 7.18.0 and curl >= 8.0.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION

A fix for CVE-2023-27534

RECOMMENDATIONS

A - Upgrade curl to version 8.0.0

B - Apply the patch to your local version

C - Avoid using tilde in SFTP URL paths.

TIMELINE

This issue was reported to the curl project on March 5, 2023. We contacted 
distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of this 
advisory.

CVE-2023-27533

CVE-2023-27533: TELNET option IAC injection

Project curl Security Advisory, March 20th 2023

VULNERABILITY

curl supports communicating using the TELNET protocol and as a part of this it offers 
users to pass on user name and "telnet options" for the server negotiation.

Due to lack of proper input scrubbing and without it being the documented 
functionality, curl would pass on user name and telnet options to the server as 
provided. This could allow users to pass in carefully crafted content that pass on 
content or do option negotiation without the application intending to do so. In 
particular if an application for example allows users to provide the data or parts of 
the data.

We are not aware of any exploit of this flaw.

INFO

CVE-2023-27533 was introduced in commit a1d6ad26100bc493c7, shipped in curl 7.7.

CWE-75: Failure to Sanitize Special Elements into a Different Plane

Severity: Low
AFFECTED VERSIONS

    Affected versions: curl 7.7 to and including 7.88.1
    Not affected versions: curl < 7.7 and curl >= 8.0.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION

Only accept ASCII user name and telnet options.

A fix for CVE-2023-27533

RECOMMENDATIONS

A - Upgrade curl to version 8.0.0

B - Apply the patch to your local version

C - Do your own TELNET user name or option input filtering

TIMELINE

This issue was reported to the curl project on March 3, 2023. We contacted 
distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of this 
advisory.

[Douglas R. Reno]

Fixed at 1f0e7ec432bb9b31a1ae6286fa6f54fece9507b0

Issued SA-11.3-007

[Bruce Dubbs]

Milestone renamed