Opened 8 months ago
Closed 8 months ago
#18547 closed enhancement (fixed)
curl-8.3.0
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version
Change History (3)
comment:1 by , 8 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 8 months ago
comment:3 by , 8 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 3b3b59f1aa6bf78d3e8ad1077ae779ae6289d1ab
SA-11.3-007 issued
Note:
See TracTickets
for help on using tickets.
Release Notes
Changes: curl: make %output{} in -w specify a file to write to gskit: remove lib: --disable-bindlocal builds curl without local binding support nss: remove support for this TLS library tool: add "variable" support trace: make tracing available in non-debug builds url: change default value for CURLOPT_MAXREDIRS to 30 urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name wolfssl: support loading system CA certificates Bugfixes: altsvc: accept and parse IPv6 addresses in response headers asyn-ares: reduce timeout to 2000ms aws-sigv4: canonicalize the query aws-sigv4: fix having date header twice in some cases aws-sigv4: handle no-value user header entries bearssl: don't load CA certs when peer verification is disabled bearssl: handshake fix, provide proper get_select_socks() implementation build: fix portability of mancheck and checksrc targets build: streamline non-UWP wincrypt detections c-hyper: adjust the hyper to curlcode conversion c-hyper: fix memory leaks in `Curl_http` cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP cf-socket: log successful interface bind CI/cirrus: disable python install on FreeBSD CI: add a 32-bit i686 Linux build CI: add caching to many jobs CI: move on to ngtcp2 v0.19.1 CI: move the Alpine build from Cirrus to GHA CI: ngtcp2-linux: use separate caches for tls libraries CI: remove Windows builds from Cirrus, without replacement CI: switch macOS ARM build from Cirrus to Circle CI CI: use master again for wolfssl cirrus: install everthing with pkg, avoid pip cmake: add GnuTLS option cmake: add support for `CURL_DEFAULT_SSL_BACKEND` cmake: add support for single libcurl compilation pass cmake: allow `SHARE_LIB_OBJECT=ON` on all platforms cmake: assume `wldap32` availability on Windows cmake: cache more config and delete unused ones cmake: detect `SSL_set0_wbio` in OpenSSL cmake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks cmake: fix to use variable for the curl namespace cmake: fixup H2 duplicate symbols for unity builds cmake: set SIZEOF_LONG_LONG in curl_config.h cmake: support building static and shared libcurl in one go cmdline-docs: make sure to phrase it as "added in ...." cmdline-docs: use present tense, not future cmdline-opts/docs: mention the negative option part cmdline-opts/page-header: clarify stronger that !opt == URL cmdline-opts/page-header: reorder, clean up configure, cmake, lib: more form api deprecation configure: fix `HAVE_TIME_T_UNSIGNED` check configure: trust pkg-config when it's used for zlib configure: use the pkg-config --libs-only-l flag for libssh2 connect: stop halving the remaining timeout when less than 600 ms left cookie-jar.d: emphasize that this option is ONLY writing cookies crypto: ensure crypto initialization works curl_url_get/set.3: add missing semicolon in SYNOPSIS CURLINFO_CERTINFO.3: better explain curl_certinfo struct CURLINFO_TLS_SSL_PTR.3: clarify a recommendation CURLOPT_*TIMEOUT*: extend and clarify CURLOPT_SSL_VERIFYPEER.3: mention it does not load CA certs when disabled CURLOPT_URL.3: add two URL API calls in the see-also section CURLOPT_URL.3: explain curl_url_set() uses the same parser digest: Use hostname to generate spn instead of realm disable.d: explain --disable not implemented prior to 7.50.0 docs/cmdline-opts/gen.pl: hide "added in" before 7.50.0 docs/cmdline-opts: match the current output docs/cmdline-opts: spellfixes, typos and polish docs/cmdline: add small "warning" to verbose options docs/cmdline: remove repeated working for negotiate + ntlm docs/HYPER.md: document a workaround for a link error docs: add curl_global_trace to some SEE ALSO sections docs: link to the website versions instead of markdowns docs: mark --ssl-revoke-best-effort as Schannel specific docs: mention critical files in same directories as curl saves docs: removing "pausing transfers" from HYPER.md. docs: rewrite to present tense easy: remove #ifdefs to make code easier on the eye egd: delete feature detection and related source code ftp: fix temp write of ipv6 address gen.pl: escape all dashes (ascii minus) to avoid unicode hyphens gen.pl: replace all single quotes with aq GHA: adding quiche workflow headers: accept leading whitespaces on first response header http2: avoid too early connection re-use/multiplexing http2: cleanup trace messages http2: disable asssertion blocking OSSFuzz testing http2: fix in h2 proxy tunnel: progress in ingress on sending http2: polish things around POST http2: upgrade tests and add fix for non-existing stream http3/ngtcp2: shorten handshake, trace cleanup http3: quiche, handshake optimization, trace cleanup http: close the connection after a late 417 is received http: do not require a user name when using CURLAUTH_NEGOTIATE http: fix sending of large requests http: remove the p_pragma struct field http: return error when receiving too large header set hyper: fix a progress upload counter bug hyper: fix ownership problems hyper: remove `hyptransfer->endtask` imap: add a check for failing strdup() imap: remove the only sscanf() call in the IMAP code include.d: explain headers not printed with --fail before 7.75.0 include/curl/mprintf.h: add __attribute__ for the prototypes krb5: fix "implicit conversion loses integer precision" warnings lib: add ability to disable auths individually lib: build fixups when built with most things disabled lib: fix a few *printf() flag mistakes lib: fix null ptr derefs and uninitialized vars (h2/h3) lib: move mimepost data from ->req.p.http to ->state libtest: use curl_free() to free libcurl allocated data list-only.d: mention SFTP as supported protocol macOS: fix target detection more misc: fix various typos multi.h: the 'revents' field of curl_waitfd is supported multi: more efficient pollfd count for poll multi: remove 'processing: <url>' debug message ngtcp2: fix handling of large requests openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED` openssl: clear error queue after SSL_shutdown openssl: make aws-lc version support OCSP openssl: Support async cert verify callback openssl: switch to modern init for LibreSSL 2.7.0+ openssl: use `SSL_CTX_set_ciphersuites` with LibreSSL 3.4.1 openssl: use `SSL_CTX_set_keylog_callback` with LibreSSL 3.5.0 openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before os400: build test servers os400: do not check translatable options at build time os400: implement CLI tool page-footer: QLOGDIR works with ngtcp2 and quiche page-header: move up a URL paragraph from GLOBBING to URL pytest: fix check for slow_network skips to only apply when intended quic: don't set SNI if hostname is an IP address quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s quiche: enable quiche to handle timeout events resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set revert "schannel: reverse the order of certinfo insertions" schannel: fix ordering of cert chain info schannel: fix user-set legacy algorithms in Windows 10 & 11 schannel: verify hostname independent of verify cert sectransp: fix compiler warnings sectransp: prevent CFRelease() of NULL secureserver.pl: fix stunnel path quoting secureserver.pl: fix stunnel version parsing SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline system.h: add CURL_OFF_T definitions on HP-UX with HP aCC test1304: build and skip without netrc support test1554: check translatable string options in OS400 wrapper test1608: make it build and get skipped without shuffle DNS support test687/688: two more basic --xattr tests tests/tftpd+mqttd: make variables static to silence picky warnings tests: add 'large-time' as a testable feature tests: add support for nested %if conditions tests: don't call HTTP errors OK in test cases tests: ensure `libcurl.def` contains all exports tests: fix h3 server check and parallel instances tests: TLS session sharing test tests: update cookie expiry dates to far in the future time-cond.d: mention what happens on a missing file tool: avoid including leading spaces in the Location hyperlink tool: change some fopen failures from warnings to errors tool: make the length argument an int for printf()-.* flags tool_cb_wrt: fix invalid unicode for windows console tool_filetime: make -z work with file dates before 1970 tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR tool_operate: make aws-sigv4 not require TLS to be used tool_paramhlp: improve str2num(): avoid unnecessary call to strlen() tool_urlglob: use the correct format specifier for curl_off_t in msnprintf transfer: also stop the sending on closed connection transfer: don't set TIMER_STARTTRANSFER on first send unit2600: fix build warning if built without verbose messages url: remove infof() output for "still name resolving" urlapi: fix heap buffer overflow urlapi: make sure zoneid is also duplicated in curl_url_dup urlapi: return CURLUE_BAD_HOSTNAME if puny2idn encoding fails urlapi: setting a blank URL ("") is not an ok URL vquic: show stringified messages for errno vtls: clarify "ALPN: offers" message winbuild: improve check for static zlib wolfSSL: avoid the OpenSSL compat API when not needed workflows/macos.yml: disable zstd and alt-svc in the http-only build write-out.d: clarify %{time_starttransfer} ws: fix spelling mistakes in examples and testsSecurity Advisory
CVE-2023-38039 HTTP headers eat all memory Project curl Security Advisory, September 13 2023 VULNERABILITY When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory. INFO Since libcurl allocates memory on the heap to store each header individually, the exact number of headers required for this to become a problem will vary greatly from case to case. As the headers typically need to be transfered over a network to curl, the available bandwidth will also affect how likely or how fast this problem can be triggered. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-38039 to this issue. CWE-770: Allocation of Resources Without Limits or Throttling Severity: Medium AFFECTED VERSIONS Affected versions: libcurl 7.84.0 to and including 8.2.1 Not affected versions: libcurl < 7.84.0 and >= 8.3.0 Introduced-in: https://github.com/curl/curl/commit/4d94fac9f0d1dd libcurl is used by many applications, but not always advertised as such! This flaw existed already in 7.83.0 source code but in that release the feature was still marked EXPERIMENTAL and was not enabled in normal builds. The label was removed in 7.84.0 why we consider that as the first vulnerable version. SOLUTION Starting in curl 8.3.0, curl returns an error if the total size of the headers in a single HTTP response exceeds 300 KB. Fixed-in: https://github.com/curl/curl/commit/3ee79c1674fd6f9 RECOMMENDATIONS A - Upgrade curl to version 8.3.0 B - Apply the patch to your local version C - Monitor response headers and return error if too much TIMELINE This issue was reported to the curl project on July 17, 2023. We contacted distros@openwall on September 6, 2023. This report arrived before the 8.2.0 and 8.2.1 releases shipped (on July 19 and July 26), but we did not manage to work it through and fix it in time for those releases. libcurl 8.3.0 was released on September 13 2023, coordinated with the publication of this advisory.