Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 919325 (CVE-2023-42619, CVE-2023-46218) - <net-misc/curl-8.5.0: Multiple vulnerabilities
Summary: <net-misc/curl-8.5.0: Multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-42619, CVE-2023-46218
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://curl.se/docs/CVE-2023-46218.html
Whiteboard: A3 [glsa?]
Keywords: PullRequest
: 919326 921732 (view as bug list)
Depends on: 922274
Blocks:
  Show dependency tree
 
Reported: 2023-12-06 10:57 UTC by Matt Jolly
Modified: 2024-02-12 08:48 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Jolly gentoo-dev 2023-12-06 10:57:14 UTC
ULNERABILITY

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lowercase hostname curl.co.uk, even though co.uk is listed as a PSL domain.
INFO

When curl is built without PSL support, it cannot protect against this problem but it is expected to not allow "too wide" cookies when PSL support is enabled.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-46218 to this issue.

CWE-201: Information Exposure Through Sent Data

Severity: Medium
AFFECTED VERSIONS

    Affected versions: curl 7.46.0 to and including 8.4.0
    Not affected versions: curl < 7.46.0 and >= 8.5.0
    Introduced-in: https://github.com/curl/curl/commit/e77b5b7453c1e8c

libcurl is used by many applications, but not always advertised as such!
Comment 1 Matt Jolly gentoo-dev 2023-12-06 10:59:34 UTC
We're not doing anything about this at the moment but it's worth recording:

cURL on Gentoo is built `--without-libpsl` and there is no USE dependency.

I'll look into what other distros are doing and make a longer term decision.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-06 11:20:51 UTC
*** Bug 919326 has been marked as a duplicate of this bug. ***
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-06 11:21:40 UTC
Other one: 

* HSTS long file name clears content (CVE-2023-42619)



When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
INFO

The reason for this bug is that save function appended a suffix to the file name, created a temporary file and then in the last step renamed that to the final name. When the file name length was close to the limit of what is allowed on the file system, adding the extension would make it too long and then trigger this bug.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-46219 to this issue.

CWE-311: Missing Encryption of Sensitive Data

Severity: Low
AFFECTED VERSIONS

    Affected versions: curl 7.84.0 to and including 8.4.0
    Not affected versions: curl < 7.84.0 and >= 8.5.0
    Introduced-in: https://github.com/curl/curl/commit/20f9dd6bae50b722

libcurl is used by many applications, but not always advertised as such!
Comment 4 Larry the Git Cow gentoo-dev 2023-12-06 11:23:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd5be9da9b4bc564cc45b1004363d3e5d79afc8d

commit bd5be9da9b4bc564cc45b1004363d3e5d79afc8d
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-12-06 08:56:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-06 11:22:37 +0000

    net-misc/curl: add 8.5.0
    
    This release includes fixes for two CVEs linked as bugs below.
    
    For clarity, Gentoo does not currently enable a libpsl dependency so
    version bump does not address CVE-2023-46218 / Bug 919325; we're
    no more or less vulnerable than we were before.
    
    Test 1477 has been disabled for this release; it's docs related
    and upstream did not include a required file - it's not worth us
    patching:
    https://github.com/curl/curl/commit/da8c1d15782c8161b455a7ee90197c16ae5edb90
    
    Bug: https://bugs.gentoo.org/919325
    Bug: https://bugs.gentoo.org/919326
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/34148
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest          |   2 +
 net-misc/curl/curl-8.5.0.ebuild | 364 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 366 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2024-01-19 08:50:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=500274c68d01033cbafb86135043712bcbbd974e

commit 500274c68d01033cbafb86135043712bcbbd974e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-01-19 08:49:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-19 08:49:43 +0000

    net-misc/curl: improve USE=psl description
    
    Bug: https://bugs.gentoo.org/921610
    Bug: https://bugs.gentoo.org/919325
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/metadata.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5220b82d97f99bbdb24a203fd47c84c885f3ca1

commit c5220b82d97f99bbdb24a203fd47c84c885f3ca1
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2024-01-17 07:57:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-19 08:48:30 +0000

    net-misc/curl: add 8.5.0-r3
    
    - Add Public Suffix List (PSL) support
    
    Bug: https://bugs.gentoo.org/919325
    Closes: https://bugs.gentoo.org/921610
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/curl-8.5.0-r3.ebuild | 369 +++++++++++++++++++++++++++++++++++++
 net-misc/curl/metadata.xml         |   1 +
 2 files changed, 370 insertions(+)
Comment 6 Eli Schwartz gentoo-dev 2024-02-12 03:05:37 UTC
*** Bug 921732 has been marked as a duplicate of this bug. ***