Opened 6 weeks ago
Closed 6 weeks ago
#21020 closed enhancement (fixed)
curl-8.12.0
| Reported by: | zeckma | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New minor version.
Full changelog here: https://curl.se/ch/8.12.0.html
Change History (6)
comment:1 by , 6 weeks ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 6 weeks ago
| Priority: | normal → elevated |
|---|
comment:3 by , 6 weeks ago
comment:4 by , 6 weeks ago
CVE-2025-0665
VULNERABILITY
libcurl would wrongly close the same eventfd file descriptor twice when taking down a
connection channel after having completed a threaded name resolve.
INFO
This flaw requires libcurl to get built with the threaded resolver
It requires that eventfd is used in the curl build. This feature is only used on 64-bit
architectures.
The eventfd socket is used for inter-thread messaging and since the communication was
originally written to use socketpair() only, there was two close() calls done and the
superfluous one was left accidentally used because of an #ifdef mistake.
This bug was reported (and fixed) immediately after the 8.11.1 release, but the security
impact was not considered until later. This bug causes libcurl to act unreliably which
many users have noticed and either avoided eventfd or the vulnerable version, thus
somewhat reducing the impact of this problem.
It can also be worth noting that both close() calls are typically called within a few
dozens of instructions, severely limiting the ability for an external party to control
which other file descriptor this can be made to affect.
This bug is not considered a C mistake. It is not likely to have been avoided had we not
been using C.
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0665 to this issue.
CWE-1341: Multiple Releases of Same Resource or Handle
Severity: Low
AFFECTED VERSIONS
Affected version: curl 8.11.1
Not affected versions: curl < 8.11.1 and >= 8.12.0
Introduced-in: https://github.com/curl/curl/commit/92124838c6b7e09e3f35f
libcurl is used by many applications, but not always advertised as such!
SOLUTION
Fixed-in: https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.12.0
B - Apply the patch to your version and rebuild
C - Disable eventfd use in your build
D - Use the c-ares resolver backend
comment:5 by , 6 weeks ago
CVE-2025-0167
netrc and default credential leak
Project curl Security Advisory, February 5th 2025 - Permalink
VULNERABILITY
When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could
leak the password used for the first host to the followed-to host under certain
circumstances.
This flaw only manifests itself if the netrc file has a default entry that omits both
login and password. A rare circumstance.
INFO
A curl transfer with nn.tld that redirects to zz.tld, using a .netrc file with an empty
default entry like below, would make curl pass on maryspassword as password even in the
transfer to the second and separate host zz.tld.
machine nn.tld
login mary
password maryspassword
default
This bug is not considered a C mistake. It is not likely to have been avoided had we not
been using C.
This flaw also affects the curl command line tool.
This flaw is similar, but not identical, to CVE-2024-11053.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2025-0167 to this issue.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.76.0 to and including 8.11.1
Not affected versions: curl < 7.76.0 and >= 8.12.0
Introduced-in: https://github.com/curl/curl/commit/46620b97431e19c53ce82e5
libcurl is used by many applications, but not always advertised as such!
SOLUTION
Fixed-in: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.12.0
B - Apply the patch to your version and rebuild
C - Avoid using netrc together with redirects
comment:6 by , 6 weeks ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at dc40360cee12bb776e49e99574902bcc11c62c61
SA-12.2-078 issued
Note:
See TracTickets
for help on using tickets.
There were three security vulnerabilities fixed here:
CVE-2025-0725 is not exploitable on any system built after August of 2003, as it relies on an extremely ancient version of zlib to be present. Looking through the archives, you would need to be running a version of LFS older than 5.1-pre1.
Because of that I'm not going to mention CVE-2025-0725 in the advisory as you would also be vulnerable to many thousands of other vulnerabilities as well.
We are impacted by CVE-2025-0665 (if a user has slightly deviated using the --enable-threaded-resolver option which we documented in BLFS 12.2), and we're also impacted by CVE-2025-0167