#18058 closed enhancement (fixed)
curl-8.1.0
| Reported by: | Douglas R. Reno | Owned by: | Tim Tassonis |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version
Contains four security fixes
Change History (5)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 2 years ago
Security Vulnerability Information:
CVE-2023-28322
CVE-2023-28322 more POST-after-PUT confusion
VULNERABILITY
When doing HTTP(S) transfers, libcurl might erroneously use the read callback
(CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option
has been set, if the same handle previously was used to issue a PUT request which used
that callback.
This flaw may surprise the application and cause it to misbehave and either send off
the wrong data or use memory after free or similar in the second transfer.
The problem exists in the logic for a reused handle when it is (expected to be) changed
from a PUT to a POST.
INFO
The code actually sending wrong data or doing a use-after-free is not present in
libcurl code but are only presumed scenarios that might become the outcome of libcurl
surprisingly calling the read callback in a situation where it is not expected to.
This flaw cannot be triggered with the command line tool.
This problem is almost identical to CVE-2022-32221. A difference this time is that
setting CURLOPT_POST for the second transfer avoids the problem, where as only setting
CURLOPT_POSTFIELDS after the PUT still makes the second transfer to a PUT and use the
callback.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-28322 to this issue.
CWE-440: Expected Behavior Violation
Severity: Low
AFFECTED VERSIONS
Affected versions: libcurl 7.7 to and including 8.0.1
Not affected versions: libcurl < 7.7 and >= 8.1.0
Introduced-in: https://github.com/curl/curl/commit/546572da0457f3
libcurl is used by many applications, but not always advertised as such!
SOLUTION
This time the logic is improved to avoid having two separate variable fields holding
info about HTTP method and behavior. Now there is only one, which should make it harder
to end up in such a confused middle state.
Fixed-in: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de
RECOMMENDATIONS
A - Upgrade curl to version 8.1.0
B - Apply the patch to your local version
C - Do not do mix using the read callback and CURLOPT_POSTFIELDS string on a reused
easy handle
TIMELINE
This issue was reported to the curl project on April 19, 2023. We contacted
distros@openwall on May 9, 2023.
libcurl 8.1.0 was released on May 17 2023, coordinated with the publication of this
advisory.
CVE-2023-28321
CVE-2023-28321 IDN wildcard match
VULNERABILITY
curl supports matching of wildcard patterns when listed as "Subject Alternative Name"
in TLS server certificates. curl can be built to use its own name matching function for
TLS rather than one provided by a TLS library. This private wildcard matching function
would match IDN (International Domain Name) hosts incorrectly and could as a result
accept patterns that otherwise should mismatch.
IDN hostnames are converted to puny code before used for certificate checks. Puny coded
names always start with xn-- and should not be allowed to pattern match, but the
wildcard check in curl could still check for x*, which would match even though the IDN
name most likely contained nothing even resembling an x.
INFO
curl's wildcard matching function is used only when curl was built to use OpenSSL,
Schannel or Gskit. All other backends use the matching functions of the corresponding
TLS library and are thus not vulnerable to this flaw.
This flaw is lessened somewhat by two factors:
Certificates issued by Certificate Authorities for the public Internet are not
allowed to use "partial" wildcards, thus completely avoiding this issue.
In many circumstances, the control of host names used and the wildcards used in
issued certificates are controlled by the same entity, making this unlikely to actually
become a problem.
curl does not need to be built with IDN support to be vulnerable, as a user can pass in
a puny coded version of the host name directly in the URL and can then trigger this
flaw.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-28321 to this issue.
CWE-295: Improper Certificate Validation
Severity: Low
AFFECTED VERSIONS
This bug was introduced in curl when IDN support was first introduced, in curl 7.12.0 -
June 2004. The wildcard function was subsequently updated for this case in 2012 (the
IDN problem is mentioned in RFC 6125 in a far from obvious way) but was done wrongly,
so the flaw remained.
Affected versions: curl 7.12.0 to and including 8.0.1
Not affected versions: curl < 7.12.0 and curl >= 8.1.0
Introduced-in: https://github.com/curl/curl/commit/9631fa740708b1890197fad
libcurl is used by many applications, but not always advertised as such!
SOLUTION
curl 8.1.0 completely removes the support for "partial" patches and now only supports
*.. No a*, a*b or *b matches. For all host names, IDN or not.
Fixed-in: https://github.com/curl/curl/commit/199f2d440d8659b42
RECOMMENDATIONS
A - Upgrade curl to version 8.1.0
B - Apply the patch to your local version
TIMELINE
This issue was reported to the curl project on April 17 2023. We contacted
distros@openwall on May 9, 2023.
curl 8.1.0 was released on May 17 2023, coordinated with the publication of this
advisory.
CVE-2023-28320
CVE-2023-28320 siglongjmp race condition
VULNERABILITY
libcurl provides several different backends for resolving host names, selected at build
time. If it is built to use the synchronous resolver, it allows name resolves to time-
out slow operations using alarm() and siglongjmp().
When doing this, libcurl used a global buffer that was not mutex protected and a multi-
threaded application might therefore crash or otherwise misbehave.
INFO
Most platforms and systems build libcurl to use the threaded resolver or with c-ares,
neither of those suffer from this flaw. Most platforms that build with the synchronous
resolver don't feature alarm() and siglongjmp() and therefor are not vulnerable either.
Since alarm() uses signals, it is not advisable to use in a multi-threaded environment
(signals and threads rarely mix very well) which reduces the risk that this flaw hurts
many users.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-28320 to this issue.
CWE-662: Improper Synchronization
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.9.8 to and including 8.0.1
Not affected versions: curl < 7.9.8 and curl >= 8.1.0
Introduced-in: https://github.com/curl/curl/commit/3c49b405de4fbf1f
libcurl is used by many applications, but not always advertised as such!
SOLUTION
The fix is to only support this timeout ability if curl has and can properly mutex
protect the buffer.
Fixed-in: https://github.com/curl/curl/commit/13718030ad4b3209a7583b
RECOMMENDATIONS
A - Upgrade curl to version 8.1.0
B - Apply the patch to your local version
C - Do not use the synchronous name resolver option
TIMELINE
This issue was reported to the curl project on April 2 2023. We contacted
distros@openwall on May 9, 2023.
curl 8.1.0 was released on May 17 2023, coordinated with the publication of this
advisory.
CVE-2023-28319
CVE-2023-28319 UAF in SSH sha256 fingerprint check
VULNERABILITY
libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash.
When this check fails, libcurl would free the memory for the fingerprint before it
returns an error message containing the (now freed) hash.
This flaw risks inserting sensitive heap-based data into the error message that might
be shown to users or otherwise get leaked and revealed.
INFO
This only applies to users of the CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 option, which is
only supported for libcurl built with libssh2 (curl optionally supports other SSH
backends). Either of the options CURLOPT_VERBOSE or CURLOPT_ERRORBUFFER also need to be
set to trigger the problem.
The damage is somewhat limited by the extremely short time window between the free and
the use of the freed memory.
The largest possible info leak that can happen due to this flaw per trigger occasion,
is limited to CURL_ERROR_SIZE - the error message prefix length (69) = 186 bytes. It
will also stop at the first null byte within those 186 bytes.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-28319 to this issue.
CWE-416: Use After Free
Severity: Medium
AFFECTED VERSIONS
Affected versions: curl 7.81.0 to and including 8.0.1
Not affected versions: curl < 7.81.0 and curl >= 8.1.0
Introduced-in: https://github.com/curl/curl/commit/3467e89bb97e6c87c7
libcurl is used by many applications, but not always advertised as such!
SOLUTION
Fixed-in: https://github.com/curl/curl/commit/8e21b1a05f3c0ee098dbcb6c
RECOMMENDATIONS
A - Upgrade curl to version 8.1.0
B - Apply the patch to your local version
C - Do not use CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256
TIMELINE
This issue was reported to the curl project on March 21 2023. We contacted
distros@openwall on May 9, 2023.
curl 8.1.0 was released on May 17 2023, coordinated with the publication of this
advisory.
Note:
See TracTickets
for help on using tickets.
curl: add --proxy-http2 CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 hostip: refuse to resolve the .onion TLD tool_writeout: add URL component variables Bugfixes: amiga: Fix CA certificate paths for AmiSSL and MorphOS autotools: sync up clang picky warnings with cmake aws-sigv4.d: fix region identifier in example bufq: simplify since expression is always true cf-h1-proxy: skip an extra NULL assign cf-h2-proxy: fix processing ingress to stop too early cf-socket: add socket recv buffering for most tcp cases cf-socket: Disable socket receive buffer by default cf-socket: remove dead code discovered by PVS cf-socket: turn off IPV6_V6ONLY on Windows if it is supported checksrc: check for spaces before the colon of switch labels checksrc: find bad indentation in conditions without open brace checksrc: fix SPACEBEFOREPAREN for conditions starting with "*" ci: `-Wno-vla` no longer necessary CI: fix brew retries on GHA CI: Set minimal permissions on workflow ngtcp2-quictls.yml CI: skip Azure for commits which change only GHA CI: use another glob syntax for matching files on Appveyor cmake: bring in the network library on Haiku cmake: do not add zlib headers for openssl CMake: make config version 8 compatible with 7 cmake: picky-linker fixes for openssl, ZLIB, H3 and more cmake: set SONAME for SunOS too cmake: speed up and extend picky clang/gcc options CMakeLists.txt: fix typo for Haiku detection compressed.d: clarify the words on "not notifying headers" config-dos.h: fix SIZEOF_CURL_OFF_T for MS-DOS/DJGPP configure: don't set HAVE_WRITABLE_ARGV on Windows configure: fix detection of apxs (for httpd) configure: make quiche require quiche_conn_send_ack_eliciting connect: fix https connection setup to treat ssl_mode correctly content_encoding: only do transfer-encoding compression if asked to cookie: address PVS nits cookie: clarify that init with data set to NULL reads no file curl: do NOT append file name to path for upload when there's a query curl_easy_getinfo.3: typo fix (duplicated "from the") curl_easy_unescape.3: rename the argument curl_path: bring back support for SFTP path ending in /~ curl_url_set.3: mention that users can set content rather freely CURLOPT_IPRESOLVE.3: this for host names, not IP addresses data.d: emphasize no conversion digest: clear target buffer doc: curl_mime_init() strong easy binding was relaxed in 7.87.0 docs/cmdline-opts: document the dotless config path docs/examples/protofeats.c: outputs all protocols and features docs/libcurl/curl_*escape.3: rename "url" argument to "input"/"string" docs/SECURITY-ADVISORY.md: how to write a curl security advisory docs: bump the minimum perl version to 5.6 docs: clarify that more backends have HTTPS proxy support dynbuf: never allocate larger than "toobig" easy_cleanup: require a "good" handle to act ftp: fix 'portsock' variable was assigned the same value ftp: remove dead code ftplistparser: move out private data from public struct ftplistparser: replace realloc with dynbuf gen.pl: error on duplicated See-Also fields getpart: better handle case of file not found GHA-linux: add an address-sanitizer build GHA: add a memory-sanitizer job GHA: run all linux test jobs with valgrind GHA: suppress git clone output GIT-INFO: add --with-openssl gskit: various compile errors in OS400 h2/h3: replace `state.drain` counter with `state.dselect_bits` hash: fix assigning same value headers: clear (possibly) lingering pointer in init hostcheck: fix host name wildcard checking hostip: add locks around use of global buffer for alarm() hostip: enforce a maximum DNS cache size independent of timeout value HTTP-COOKIES.md: mention the #HttpOnly_ prefix http2: always EXPIRE_RUN_NOW unpaused http/2 transfers http2: do flow window accounting for cancelled streams http2: enlarge the connection window http2: flow control and buffer improvements http2: move HTTP/2 stream vars into local context http2: pass `stream` to http2_handle_stream_close to avoid NULL checks http2: remove unused Curl_http2_strerror function declaration HTTP3/quiche: terminate h1 response header when no body is sent http3: check stream_ctx more thoroughly in all backends HTTP3: document the ngtcp2/nghttp3 versions to use for building curl http3: expire unpaused transfers in all HTTP/3 backends http3: improvements across backends http: free the url before storing a new copy http: skip a double NULL assign ipv4.d/ipv6.d: they are "mutex", not "boolean" KNOWN_BUGS: remove fixed or outdated issues, move non-bugs lib/cmake: add HAVE_WRITABLE_ARGV check lib/sha256.c: typo fix in comment (duplicated "is available") lib1560: verify that more bad host names are rejected lib: add `bufq` and `dynhds` lib: remove CURLX_NO_MEMORY_CALLBACKS lib: unify the upload/method handling lib: use correct printf flags for sockets and timediffs libssh2: fix crash in keyboard callback libssh2: free fingerprint better libssh: tell it to use SFTP non-blocking man pages: simplify the .TH sections MANUAL.md: add dict example for looking up a single definition md(4|5): don't use deprecated iOS functions md4: only build when used mime: skip NULL assigns after Curl_safefree() multi: add handle asserts in DEBUG builds multi: add multi-ignore logic to multi_socket_action multi: free up more data earleier in DONE multi: remove a few superfluous assigns multi: remove PENDING + MSGSENT handles from the main linked list ngtcp2: adapted to 0.15.0 ngtcp2: adjust config and code checks for ngtcp2 without nghttp3 noproxy: pointer to local array 'hostip' is stored outside scope ntlm: clear lm and nt response buffers before use openssl: interop with AWS-LC OS400: fix and complete ILE/RPG binding OS400: implement EBCDIC support for recent features OS400: improve vararg emulation OS400: provide ILE/RPG usage examples pingpong: fix compiler warning "assigning an enum to unsigned char" pytest: improvements for suitable curl and error output quiche: disable pacing while pacing is not actually performed quiche: Enable IDLE egress handling RELEASE-PROCEDURE: update to new schedule rtsp: convert mallocs to dynbuf for RTP buffering rtsp: skip malformed RTSP interleaved frame data rtsp: skip NULL assigns after Curl_safefree() runtests: die if curl version can be found runtests: don't start servers if -l is given runtests: fix -c option when run with valgrind runtests: fix quoting in Appveyor and Azure test integration runtests: lots of refactoring runtests: refactor into more packages runtests: show error message if file can't be written runtests: spawn a new process for the test runner rustls: fix error in recv handling schannel: add clarifying comment server/getpart: clear target buffer before load smb: remove double assign smbserver: remove temporary files before exit socketpair: verify with a random value ssh: Add support for libssh2 read timeout telnet: simplify the implementation of str_is_nonascii() test1169: fix so it works properly everywhere test1592: add flaky keyword test1960: point to the correct path for the precheck tool test303: kill server after test tests/http: add timeout to running curl in test cases tests/http: fix log formatting on wrong exit code tests/http: fix out-of-tree builds tests/http: improved httpd detection tests/http: more tests with specific clients tests/http: relax connection check in test_07_02 tests/keywords.pl: remove tests/libtest/lib1900.c: remove tests/sshserver.pl: Define AddressFamily earlier tests: 1078 1288 1297 use valid IPv4 addresses tests: document that the unittest keyword is special tests: increase sws timeout for more robust testing tests: log a too-long Unix socket path in sws and socksd tests: make test_12_01 a bit more forgiving on connection counts tests: move pidfiles and portfiles under the log directory tests: move server config files under the pid dir tests: silence some Perl::Critic warnings in test suite tests: stop using strndup(), which isn't portable tests: switch to 3-argument open in test suite tests: turn perl modules into full packages tests: use %LOGDIR to refer to the log directory tool_cb_hdr: Fix 'Location:' formatting for early VTE terminals tool_operate: pass a long as CURLOPT_HEADEROPT argument tool_operate: refuse (--data or --form) and --continue-at combo transfer: refuse POSTFIELDS + RESUME_FROM combo transfer: skip extra assign url: fix null dispname for --connect-to option url: fix PVS nits url: remove call to Curl_llist_destroy in Curl_close urlapi: cleanups and improvements urlapi: detect and error on illegal IPv4 addresses urlapi: prevent setting invalid schemes with *url_set() urlapi: skip a pointless assign urlapi: URL encoding for the URL missed the fragment urldata: copy CURLOPT_AWS_SIGV4 value on handle duplication urldata: shrink *select_bits int => unsigned char vlts: use full buffer size when receiving data if possible vtls and h2 improvements Websocket: enhanced en-/decoding wolfssl.yml: bump to version 5.6.0 write-out.d: Use response_code in example ws: handle reads before EAGAIN better