919889 – (CVE-2023-46219) <net-misc/curl-8.5.0: removes HSTS contents

Bug 919889 (CVE-2023-46219) - <net-misc/curl-8.5.0: removes HSTS contents

Summary: <net-misc/curl-8.5.0: removes HSTS contents

Status:	RESOLVED FIXED

Alias:	CVE-2023-46219

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://hackerone.com/reports/2236133
Whiteboard:	A4 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2023-12-14 15:28 UTC by Christopher Fore
Modified:	2024-09-23 05:55 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2023-12-14 15:28:37 UTC

CVE-2023-46219 (https://hackerone.com/reports/2236133):

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

Comment 1 Larry the Git Cow gentoo-dev

2024-09-23 05:53:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b04b4f7e697b62c8b67bd3c4bad5d6903b20f23f

commit b04b4f7e697b62c8b67bd3c4bad5d6903b20f23f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-23 05:53:30 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-23 05:53:40 +0000

    [ GLSA 202409-20 ] curl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/919325
    Bug: https://bugs.gentoo.org/919889
    Bug: https://bugs.gentoo.org/923413
    Bug: https://bugs.gentoo.org/927960
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-20.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)