Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 910564 (CVE-2023-32001)

Summary: <net-misc/curl-8.2.0: fopen race condition (TOCTOU)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: base-system, kangie
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+ cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 913543    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-19 22:22:09 UTC


libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called stat() followed by fopen() in a way that made it vulnerable to a TOCTOU race condition problem.

By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-10 04:39:07 UTC
Please cleanup, thanks.
Comment 2 Larry the Git Cow gentoo-dev 2023-10-11 08:41:30 UTC
The bug has been referenced in the following commit(s):

commit 3dfe02046c2bc76fb7e910a04702603b72fcb98c
Author:     GLSAMaker <>
AuthorDate: 2023-10-11 08:40:59 +0000
Commit:     Sam James <>
CommitDate: 2023-10-11 08:41:24 +0000

    [ GLSA 202310-12 ] curl: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Sam James <>

 glsa-202310-12.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)