Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 792192 (CVE-2021-22898, CVE-2021-22901) - <net-misc/curl-7.77.0: multiple vulnerabilities (CVE-2021-{22898,22901})
Summary: <net-misc/curl-7.77.0: multiple vulnerabilities (CVE-2021-{22898,22901})
Status: RESOLVED FIXED
Alias: CVE-2021-22898, CVE-2021-22901
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://curl.se/docs/CVE-2021-22901.html
Whiteboard: A2 [cve glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-26 06:59 UTC by Hank Leininger
Modified: 2021-06-09 04:07 UTC (History)
2 users (show)

See Also:
Package list:
net-misc/curl-7.77.0
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2021-05-26 06:59:56 UTC
CVE-2021-22901:

"TLS session caching disaster

libcurl can be tricked into using already freed memory when a new TLS session
is negotiated or a client certificate is requested on an existing connection.
For example, this can happen when a TLS server requests a client certificate
on a connection that was established without one. A malicious server can use
this in rare unfortunate circumstances to potentially reach remote code
execution in the client."

CVE-2021-22898:

"TELNET stack contents disclosure

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`
in libcurl. This rarely used option is used to send variable=content pairs to
TELNET servers.

Due to flaw in the option parser for sending `NEW_ENV` variables, libcurl
could be made to pass on uninitialized data from a stack based buffer to the
server. Therefore potentially revealing sensitive internal information to the
server using a clear-text network protocol."

Fixed in 7.77.0, please bump.
Comment 1 Thomas Deutschmann gentoo-dev Security 2021-05-26 09:16:55 UTC
Added to an existing GLSA request.
Comment 2 Larry the Git Cow gentoo-dev 2021-05-26 09:54:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=165dd6597ef914e03559478024450ea84459372f

commit 165dd6597ef914e03559478024450ea84459372f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-05-26 09:54:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-26 09:54:39 +0000

    net-misc/curl: add 7.77.0
    
    Bug: https://bugs.gentoo.org/792192
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest           |   1 +
 net-misc/curl/curl-7.77.0.ebuild | 295 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 296 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2021-05-26 12:36:35 UTC
x86 stable
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 12:41:01 UTC
This issue was resolved and addressed in
 GLSA 202105-36 at https://security.gentoo.org/glsa/202105-36
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 5 Thomas Deutschmann gentoo-dev Security 2021-05-26 12:41:38 UTC
Re-opening for remaining architectures.
Comment 6 Sam James archtester gentoo-dev Security 2021-05-26 13:14:39 UTC
amd64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-05-27 19:10:29 UTC
arm64 done
Comment 8 Sam James archtester gentoo-dev Security 2021-05-27 19:22:23 UTC
ppc done
Comment 9 Agostino Sarubbo gentoo-dev 2021-05-28 12:04:27 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-05-28 12:05:12 UTC
sparc stable
Comment 11 Rolf Eike Beer archtester 2021-05-28 15:48:33 UTC
hppa done
Comment 12 Sam James archtester gentoo-dev Security 2021-06-01 00:46:04 UTC
arm done

all arches done
Comment 13 John Helmert III gentoo-dev Security 2021-06-01 16:22:44 UTC
Please cleanup.
Comment 14 Anthony Basile gentoo-dev 2021-06-08 15:58:19 UTC
(In reply to John Helmert III from comment #13)
> Please cleanup.

done
Comment 15 John Helmert III gentoo-dev Security 2021-06-09 04:07:21 UTC
(In reply to Anthony Basile from comment #14)
> (In reply to John Helmert III from comment #13)
> > Please cleanup.
> 
> done

Thank you! GLSA already sent, all done.