curl-8.1.0

[Douglas R. Reno]

New minor version

Contains four security fixes

[Tim Tassonis]

    curl: add --proxy-http2
    CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2
    hostip: refuse to resolve the .onion TLD
    tool_writeout: add URL component variables 

Bugfixes:

    amiga: Fix CA certificate paths for AmiSSL and MorphOS
    autotools: sync up clang picky warnings with cmake
    aws-sigv4.d: fix region identifier in example
    bufq: simplify since expression is always true
    cf-h1-proxy: skip an extra NULL assign
    cf-h2-proxy: fix processing ingress to stop too early
    cf-socket: add socket recv buffering for most tcp cases
    cf-socket: Disable socket receive buffer by default
    cf-socket: remove dead code discovered by PVS
    cf-socket: turn off IPV6_V6ONLY on Windows if it is supported
    checksrc: check for spaces before the colon of switch labels
    checksrc: find bad indentation in conditions without open brace
    checksrc: fix SPACEBEFOREPAREN for conditions starting with "*"
    ci: `-Wno-vla` no longer necessary
    CI: fix brew retries on GHA
    CI: Set minimal permissions on workflow ngtcp2-quictls.yml
    CI: skip Azure for commits which change only GHA
    CI: use another glob syntax for matching files on Appveyor
    cmake: bring in the network library on Haiku
    cmake: do not add zlib headers for openssl
    CMake: make config version 8 compatible with 7
    cmake: picky-linker fixes for openssl, ZLIB, H3 and more
    cmake: set SONAME for SunOS too
    cmake: speed up and extend picky clang/gcc options
    CMakeLists.txt: fix typo for Haiku detection
    compressed.d: clarify the words on "not notifying headers"
    config-dos.h: fix SIZEOF_CURL_OFF_T for MS-DOS/DJGPP
    configure: don't set HAVE_WRITABLE_ARGV on Windows
    configure: fix detection of apxs (for httpd)
    configure: make quiche require quiche_conn_send_ack_eliciting
    connect: fix https connection setup to treat ssl_mode correctly
    content_encoding: only do transfer-encoding compression if asked to
    cookie: address PVS nits
    cookie: clarify that init with data set to NULL reads no file
    curl: do NOT append file name to path for upload when there's a query
    curl_easy_getinfo.3: typo fix (duplicated "from the")
    curl_easy_unescape.3: rename the argument
    curl_path: bring back support for SFTP path ending in /~
    curl_url_set.3: mention that users can set content rather freely
    CURLOPT_IPRESOLVE.3: this for host names, not IP addresses
    data.d: emphasize no conversion
    digest: clear target buffer
    doc: curl_mime_init() strong easy binding was relaxed in 7.87.0
    docs/cmdline-opts: document the dotless config path
    docs/examples/protofeats.c: outputs all protocols and features
    docs/libcurl/curl_*escape.3: rename "url" argument to "input"/"string"
    docs/SECURITY-ADVISORY.md: how to write a curl security advisory
    docs: bump the minimum perl version to 5.6
    docs: clarify that more backends have HTTPS proxy support
    dynbuf: never allocate larger than "toobig"
    easy_cleanup: require a "good" handle to act
    ftp: fix 'portsock' variable was assigned the same value
    ftp: remove dead code
    ftplistparser: move out private data from public struct
    ftplistparser: replace realloc with dynbuf
    gen.pl: error on duplicated See-Also fields
    getpart: better handle case of file not found
    GHA-linux: add an address-sanitizer build
    GHA: add a memory-sanitizer job
    GHA: run all linux test jobs with valgrind
    GHA: suppress git clone output
    GIT-INFO: add --with-openssl
    gskit: various compile errors in OS400
    h2/h3: replace `state.drain` counter with `state.dselect_bits`
    hash: fix assigning same value
    headers: clear (possibly) lingering pointer in init
    hostcheck: fix host name wildcard checking
    hostip: add locks around use of global buffer for alarm()
    hostip: enforce a maximum DNS cache size independent of timeout value
    HTTP-COOKIES.md: mention the #HttpOnly_ prefix
    http2: always EXPIRE_RUN_NOW unpaused http/2 transfers
    http2: do flow window accounting for cancelled streams
    http2: enlarge the connection window
    http2: flow control and buffer improvements
    http2: move HTTP/2 stream vars into local context
    http2: pass `stream` to http2_handle_stream_close to avoid NULL checks
    http2: remove unused Curl_http2_strerror function declaration
    HTTP3/quiche: terminate h1 response header when no body is sent
    http3: check stream_ctx more thoroughly in all backends
    HTTP3: document the ngtcp2/nghttp3 versions to use for building curl
    http3: expire unpaused transfers in all HTTP/3 backends
    http3: improvements across backends
    http: free the url before storing a new copy
    http: skip a double NULL assign
    ipv4.d/ipv6.d: they are "mutex", not "boolean"
    KNOWN_BUGS: remove fixed or outdated issues, move non-bugs
    lib/cmake: add HAVE_WRITABLE_ARGV check
    lib/sha256.c: typo fix in comment (duplicated "is available")
    lib1560: verify that more bad host names are rejected
    lib: add `bufq` and `dynhds`
    lib: remove CURLX_NO_MEMORY_CALLBACKS
    lib: unify the upload/method handling
    lib: use correct printf flags for sockets and timediffs
    libssh2: fix crash in keyboard callback
    libssh2: free fingerprint better
    libssh: tell it to use SFTP non-blocking
    man pages: simplify the .TH sections
    MANUAL.md: add dict example for looking up a single definition
    md(4|5): don't use deprecated iOS functions
    md4: only build when used
    mime: skip NULL assigns after Curl_safefree()
    multi: add handle asserts in DEBUG builds
    multi: add multi-ignore logic to multi_socket_action
    multi: free up more data earleier in DONE
    multi: remove a few superfluous assigns
    multi: remove PENDING + MSGSENT handles from the main linked list
    ngtcp2: adapted to 0.15.0
    ngtcp2: adjust config and code checks for ngtcp2 without nghttp3
    noproxy: pointer to local array 'hostip' is stored outside scope
    ntlm: clear lm and nt response buffers before use
    openssl: interop with AWS-LC
    OS400: fix and complete ILE/RPG binding
    OS400: implement EBCDIC support for recent features
    OS400: improve vararg emulation
    OS400: provide ILE/RPG usage examples
    pingpong: fix compiler warning "assigning an enum to unsigned char"
    pytest: improvements for suitable curl and error output
    quiche: disable pacing while pacing is not actually performed
    quiche: Enable IDLE egress handling
    RELEASE-PROCEDURE: update to new schedule
    rtsp: convert mallocs to dynbuf for RTP buffering
    rtsp: skip malformed RTSP interleaved frame data
    rtsp: skip NULL assigns after Curl_safefree()
    runtests: die if curl version can be found
    runtests: don't start servers if -l is given
    runtests: fix -c option when run with valgrind
    runtests: fix quoting in Appveyor and Azure test integration
    runtests: lots of refactoring
    runtests: refactor into more packages
    runtests: show error message if file can't be written
    runtests: spawn a new process for the test runner
    rustls: fix error in recv handling
    schannel: add clarifying comment
    server/getpart: clear target buffer before load
    smb: remove double assign
    smbserver: remove temporary files before exit
    socketpair: verify with a random value
    ssh: Add support for libssh2 read timeout
    telnet: simplify the implementation of str_is_nonascii()
    test1169: fix so it works properly everywhere
    test1592: add flaky keyword
    test1960: point to the correct path for the precheck tool
    test303: kill server after test
    tests/http: add timeout to running curl in test cases
    tests/http: fix log formatting on wrong exit code
    tests/http: fix out-of-tree builds
    tests/http: improved httpd detection
    tests/http: more tests with specific clients
    tests/http: relax connection check in test_07_02
    tests/keywords.pl: remove
    tests/libtest/lib1900.c: remove
    tests/sshserver.pl: Define AddressFamily earlier
    tests: 1078 1288 1297 use valid IPv4 addresses
    tests: document that the unittest keyword is special
    tests: increase sws timeout for more robust testing
    tests: log a too-long Unix socket path in sws and socksd
    tests: make test_12_01 a bit more forgiving on connection counts
    tests: move pidfiles and portfiles under the log directory
    tests: move server config files under the pid dir
    tests: silence some Perl::Critic warnings in test suite
    tests: stop using strndup(), which isn't portable
    tests: switch to 3-argument open in test suite
    tests: turn perl modules into full packages
    tests: use %LOGDIR to refer to the log directory
    tool_cb_hdr: Fix 'Location:' formatting for early VTE terminals
    tool_operate: pass a long as CURLOPT_HEADEROPT argument
    tool_operate: refuse (--data or --form) and --continue-at combo
    transfer: refuse POSTFIELDS + RESUME_FROM combo
    transfer: skip extra assign
    url: fix null dispname for --connect-to option
    url: fix PVS nits
    url: remove call to Curl_llist_destroy in Curl_close
    urlapi: cleanups and improvements
    urlapi: detect and error on illegal IPv4 addresses
    urlapi: prevent setting invalid schemes with *url_set()
    urlapi: skip a pointless assign
    urlapi: URL encoding for the URL missed the fragment
    urldata: copy CURLOPT_AWS_SIGV4 value on handle duplication
    urldata: shrink *select_bits int => unsigned char
    vlts: use full buffer size when receiving data if possible
    vtls and h2 improvements
    Websocket: enhanced en-/decoding
    wolfssl.yml: bump to version 5.6.0
    write-out.d: Use response_code in example
    ws: handle reads before EAGAIN better 

[Tim Tassonis]

Fixed in commit 9c032d6f99

[Douglas R. Reno]

Security Vulnerability Information:

CVE-2023-28322

CVE-2023-28322 more POST-after-PUT confusion

VULNERABILITY

When doing HTTP(S) transfers, libcurl might erroneously use the read callback 
(CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option 
has been set, if the same handle previously was used to issue a PUT request which used 
that callback.

This flaw may surprise the application and cause it to misbehave and either send off 
the wrong data or use memory after free or similar in the second transfer.

The problem exists in the logic for a reused handle when it is (expected to be) changed 
from a PUT to a POST.

INFO

The code actually sending wrong data or doing a use-after-free is not present in 
libcurl code but are only presumed scenarios that might become the outcome of libcurl 
surprisingly calling the read callback in a situation where it is not expected to.

This flaw cannot be triggered with the command line tool.

This problem is almost identical to CVE-2022-32221. A difference this time is that 
setting CURLOPT_POST for the second transfer avoids the problem, where as only setting 
CURLOPT_POSTFIELDS after the PUT still makes the second transfer to a PUT and use the 
callback.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2023-28322 to this issue.

CWE-440: Expected Behavior Violation

Severity: Low

AFFECTED VERSIONS

    Affected versions: libcurl 7.7 to and including 8.0.1
    Not affected versions: libcurl < 7.7 and >= 8.1.0
    Introduced-in: https://github.com/curl/curl/commit/546572da0457f3

libcurl is used by many applications, but not always advertised as such!

SOLUTION

This time the logic is improved to avoid having two separate variable fields holding 
info about HTTP method and behavior. Now there is only one, which should make it harder 
to end up in such a confused middle state.

    Fixed-in: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de

RECOMMENDATIONS

A - Upgrade curl to version 8.1.0

B - Apply the patch to your local version

C - Do not do mix using the read callback and CURLOPT_POSTFIELDS string on a reused 
easy handle

TIMELINE

This issue was reported to the curl project on April 19, 2023. We contacted 
distros@openwall on May 9, 2023.

libcurl 8.1.0 was released on May 17 2023, coordinated with the publication of this 
advisory.

CVE-2023-28321

CVE-2023-28321 IDN wildcard match

VULNERABILITY

curl supports matching of wildcard patterns when listed as "Subject Alternative Name" 
in TLS server certificates. curl can be built to use its own name matching function for 
TLS rather than one provided by a TLS library. This private wildcard matching function 
would match IDN (International Domain Name) hosts incorrectly and could as a result 
accept patterns that otherwise should mismatch.

IDN hostnames are converted to puny code before used for certificate checks. Puny coded 
names always start with xn-- and should not be allowed to pattern match, but the 
wildcard check in curl could still check for x*, which would match even though the IDN 
name most likely contained nothing even resembling an x.

INFO

curl's wildcard matching function is used only when curl was built to use OpenSSL, 
Schannel or Gskit. All other backends use the matching functions of the corresponding 
TLS library and are thus not vulnerable to this flaw.

This flaw is lessened somewhat by two factors:

    Certificates issued by Certificate Authorities for the public Internet are not 
allowed to use "partial" wildcards, thus completely avoiding this issue.

    In many circumstances, the control of host names used and the wildcards used in 
issued certificates are controlled by the same entity, making this unlikely to actually 
become a problem.

curl does not need to be built with IDN support to be vulnerable, as a user can pass in 
a puny coded version of the host name directly in the URL and can then trigger this 
flaw.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2023-28321 to this issue.

CWE-295: Improper Certificate Validation

Severity: Low

AFFECTED VERSIONS

This bug was introduced in curl when IDN support was first introduced, in curl 7.12.0 - 
June 2004. The wildcard function was subsequently updated for this case in 2012 (the 
IDN problem is mentioned in RFC 6125 in a far from obvious way) but was done wrongly, 
so the flaw remained.

    Affected versions: curl 7.12.0 to and including 8.0.1
    Not affected versions: curl < 7.12.0 and curl >= 8.1.0
    Introduced-in: https://github.com/curl/curl/commit/9631fa740708b1890197fad

libcurl is used by many applications, but not always advertised as such!

SOLUTION

curl 8.1.0 completely removes the support for "partial" patches and now only supports 
*.. No a*, a*b or *b matches. For all host names, IDN or not.

    Fixed-in: https://github.com/curl/curl/commit/199f2d440d8659b42

RECOMMENDATIONS

A - Upgrade curl to version 8.1.0

B - Apply the patch to your local version

TIMELINE

This issue was reported to the curl project on April 17 2023. We contacted 
distros@openwall on May 9, 2023.

curl 8.1.0 was released on May 17 2023, coordinated with the publication of this 
advisory.

CVE-2023-28320

CVE-2023-28320 siglongjmp race condition

VULNERABILITY

libcurl provides several different backends for resolving host names, selected at build 
time. If it is built to use the synchronous resolver, it allows name resolves to time-
out slow operations using alarm() and siglongjmp().

When doing this, libcurl used a global buffer that was not mutex protected and a multi-
threaded application might therefore crash or otherwise misbehave.

INFO

Most platforms and systems build libcurl to use the threaded resolver or with c-ares, 
neither of those suffer from this flaw. Most platforms that build with the synchronous 
resolver don't feature alarm() and siglongjmp() and therefor are not vulnerable either.

Since alarm() uses signals, it is not advisable to use in a multi-threaded environment 
(signals and threads rarely mix very well) which reduces the risk that this flaw hurts 
many users.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2023-28320 to this issue.

CWE-662: Improper Synchronization

Severity: Low

AFFECTED VERSIONS

    Affected versions: curl 7.9.8 to and including 8.0.1
    Not affected versions: curl < 7.9.8 and curl >= 8.1.0
    Introduced-in: https://github.com/curl/curl/commit/3c49b405de4fbf1f

libcurl is used by many applications, but not always advertised as such!

SOLUTION

The fix is to only support this timeout ability if curl has and can properly mutex 
protect the buffer.

    Fixed-in: https://github.com/curl/curl/commit/13718030ad4b3209a7583b

RECOMMENDATIONS

A - Upgrade curl to version 8.1.0

B - Apply the patch to your local version

C - Do not use the synchronous name resolver option

TIMELINE

This issue was reported to the curl project on April 2 2023. We contacted 
distros@openwall on May 9, 2023.

curl 8.1.0 was released on May 17 2023, coordinated with the publication of this 
advisory.

CVE-2023-28319

CVE-2023-28319 UAF in SSH sha256 fingerprint check

VULNERABILITY

libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. 
When this check fails, libcurl would free the memory for the fingerprint before it 
returns an error message containing the (now freed) hash.

This flaw risks inserting sensitive heap-based data into the error message that might 
be shown to users or otherwise get leaked and revealed.

INFO

This only applies to users of the CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 option, which is 
only supported for libcurl built with libssh2 (curl optionally supports other SSH 
backends). Either of the options CURLOPT_VERBOSE or CURLOPT_ERRORBUFFER also need to be 
set to trigger the problem.

The damage is somewhat limited by the extremely short time window between the free and 
the use of the freed memory.

The largest possible info leak that can happen due to this flaw per trigger occasion, 
is limited to CURL_ERROR_SIZE - the error message prefix length (69) = 186 bytes. It 
will also stop at the first null byte within those 186 bytes.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2023-28319 to this issue.

CWE-416: Use After Free

Severity: Medium

AFFECTED VERSIONS

    Affected versions: curl 7.81.0 to and including 8.0.1
    Not affected versions: curl < 7.81.0 and curl >= 8.1.0
    Introduced-in: https://github.com/curl/curl/commit/3467e89bb97e6c87c7

libcurl is used by many applications, but not always advertised as such!

SOLUTION

    Fixed-in: https://github.com/curl/curl/commit/8e21b1a05f3c0ee098dbcb6c

RECOMMENDATIONS

A - Upgrade curl to version 8.1.0

B - Apply the patch to your local version

C - Do not use CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256

TIMELINE

This issue was reported to the curl project on March 21 2023. We contacted 
distros@openwall on May 9, 2023.

curl 8.1.0 was released on May 17 2023, coordinated with the publication of this 
advisory.

[Douglas R. Reno]

SA-11.3-031 issued.

[Bruce Dubbs]

Milestone renamed