914091 – (CVE-2023-38039) <net-misc/curl-8.3.0: denial of service via large memory consumption

Bug 914091 (CVE-2023-38039) - <net-misc/curl-8.3.0: denial of service via large memory consumption

Summary: <net-misc/curl-8.3.0: denial of service via large memory consumption

Status:	RESOLVED FIXED

Alias:	CVE-2023-38039

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://curl.se/docs/CVE-2023-38039.html
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	915509
Blocks:
	Show dependency tree

Reported:	2023-09-13 06:38 UTC by Sam James
Modified:	2023-11-25 05:28 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-09-13 06:38:25 UTC

From https://daniel.haxx.se/blog/2023/09/13/curl-8-3-0/:
"""
HTTP headers eat all memory

[CVE-2023-38039] When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
"""

Comment 1 Sam James archtester

2023-09-14 04:00:38 UTC

commit 448256fcebbab16fbaa3bb51ad04259f39a1ae06
Author: Matt Jolly <Matt.Jolly@footclan.ninja>
Date:   Thu Sep 14 09:39:18 2023 +1000

    net-misc/curl: add 8.3.0

    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/32767
    Signed-off-by: Sam James <sam@gentoo.org>

Comment 2 Larry the Git Cow gentoo-dev

2023-10-11 08:41:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3dfe02046c2bc76fb7e910a04702603b72fcb98c

commit 3dfe02046c2bc76fb7e910a04702603b72fcb98c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-11 08:40:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-11 08:41:24 +0000

    [ GLSA 202310-12 ] curl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/887745
    Bug: https://bugs.gentoo.org/894676
    Bug: https://bugs.gentoo.org/902801
    Bug: https://bugs.gentoo.org/906590
    Bug: https://bugs.gentoo.org/910564
    Bug: https://bugs.gentoo.org/914091
    Bug: https://bugs.gentoo.org/915195
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202310-12.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2023-11-25 05:16:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c22372a61dd61966e9d8438d2cd64ba847a9be20

commit c22372a61dd61966e9d8438d2cd64ba847a9be20
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-11-25 05:09:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-11-25 05:09:26 +0000

    net-misc/curl: drop 8.2.1, 8.3.0, 8.3.0-r1
    
    Bug: https://bugs.gentoo.org/914091
    Bug: https://bugs.gentoo.org/915195
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest             |   2 -
 net-misc/curl/curl-8.2.1.ebuild    | 361 -------------------------------------
 net-misc/curl/curl-8.3.0-r1.ebuild | 361 -------------------------------------
 net-misc/curl/curl-8.3.0.ebuild    | 360 ------------------------------------
 net-misc/curl/metadata.xml         |   1 -
 5 files changed, 1085 deletions(-)

Comment 4 Sam James archtester

2023-11-25 05:28:20 UTC

All done!