Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 919326 - net-misc/curl - HSTS long file name clears contents
Summary: net-misc/curl - HSTS long file name clears contents
Status: RESOLVED DUPLICATE of bug 919325
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://curl.se/docs/CVE-2023-46219.html
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-12-06 11:01 UTC by Matt Jolly
Modified: 2023-12-06 11:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Jolly gentoo-dev 2023-12-06 11:01:15 UTC 
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
INFO

The reason for this bug is that save function appended a suffix to the file name, created a temporary file and then in the last step renamed that to the final name. When the file name length was close to the limit of what is allowed on the file system, adding the extension would make it too long and then trigger this bug.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-46219 to this issue.

CWE-311: Missing Encryption of Sensitive Data

Severity: Low
AFFECTED VERSIONS

    Affected versions: curl 7.84.0 to and including 8.4.0
    Not affected versions: curl < 7.84.0 and >= 8.5.0
    Introduced-in: https://github.com/curl/curl/commit/20f9dd6bae50b722

libcurl is used by many applications, but not always advertised as such!
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-06 11:20:51 UTC 
doing reverse-dupe as other has more info in it

*** This bug has been marked as a duplicate of bug 919325 ***
Comment 2 Larry the Git Cow gentoo-dev 2023-12-06 11:23:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd5be9da9b4bc564cc45b1004363d3e5d79afc8d

commit bd5be9da9b4bc564cc45b1004363d3e5d79afc8d
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-12-06 08:56:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-06 11:22:37 +0000

    net-misc/curl: add 8.5.0
    
    This release includes fixes for two CVEs linked as bugs below.
    
    For clarity, Gentoo does not currently enable a libpsl dependency so
    version bump does not address CVE-2023-46218 / Bug 919325; we're
    no more or less vulnerable than we were before.
    
    Test 1477 has been disabled for this release; it's docs related
    and upstream did not include a required file - it's not worth us
    patching:
    https://github.com/curl/curl/commit/da8c1d15782c8161b455a7ee90197c16ae5edb90
    
    Bug: https://bugs.gentoo.org/919325
    Bug: https://bugs.gentoo.org/919326
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/34148
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest          |   2 +
 net-misc/curl/curl-8.5.0.ebuild | 364 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 366 insertions(+)