Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 902801 (CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538) - <net-misc/curl-8.0.1: Multiple vulnerabilities
Summary: <net-misc/curl-8.0.1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 905145
Blocks:
  Show dependency tree
 
Reported: 2023-03-23 08:57 UTC by Sam James
Modified: 2023-10-17 12:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-03-23 08:57:57 UTC
From https://daniel.haxx.se/blog/2023/03/20/curl-8-0-0-is-here/:
"""
Security

We disclose six new vulnerabilities today, five of them at severity Low and one of them at Medium.
CVE-2023-27533: TELNET option IAC injection

curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and “telnet options” for the server negotiation.

Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.
CVE-2023-27534: SFTP path ~ resolving discrepancy

curl supports SFTP transfers. curl’s SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user’s home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work.

Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.

Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo.

This can be taken advantage of to circumvent filtering or worse.
CVE-2023-27535: FTP too eager connection reuse

libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials.

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level.
CVE-2023-27536: GSS delegation too eager connection re-use

libcurl would reuse a previously created connection even when the GSS delegation (CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user’s permissions in a second transfer.

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.
CVE-2023-27537: HSTS double-free

libcurl supports sharing HSTS data between separate “handles”. This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation.

Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.
CVE-2023-27538: SSH connection too eager reuse still

libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse.

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-03-23 08:59:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bca090841779256251eec23164a715e3356c3f0

commit 3bca090841779256251eec23164a715e3356c3f0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-03-23 08:51:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-23 08:59:13 +0000

    net-misc/curl: add 8.0.1
    
    Note that https://github.com/curl/curl/commit/372b95f77f08ae7a64a5bca53cfb342ec5a8adc9
    did get fixed in this release, although the warnings in bug 898364 weren't real
    issues here.
    
    Kangie's done a great job of upstreaming various fixes here but is away at
    the moment so I'm doing the easy bit of just bumping the ebuild.
    
    Also sorted dependencies and some other minor tweaks to comments.
    
    Bug: https://bugs.gentoo.org/902801
    Closes: https://bugs.gentoo.org/879237
    Closes: https://bugs.gentoo.org/898364
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest                             |   2 +
 net-misc/curl/curl-8.0.1.ebuild                    | 316 +++++++++++++++++++++
 .../curl/files/curl-8.0.1-onion-resolution.patch   | 158 +++++++++++
 3 files changed, 476 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-05-17 07:58:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e157923b659d2650cb9eb5a3084d9539f6487b29

commit e157923b659d2650cb9eb5a3084d9539f6487b29
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-05-17 07:51:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-17 07:58:25 +0000

    net-misc/curl: drop 7.88.1-r2
    
    Bug: https://bugs.gentoo.org/902801
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/31074
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest                             |   2 -
 net-misc/curl/curl-7.88.1-r2.ebuild                | 307 ---------------------
 .../files/curl-7.88.1-header-dump-segfault.patch   |  29 --
 .../curl/files/curl-7.88.1-onion-resolution.patch  | 134 ---------
 net-misc/curl/files/curl-7.88.1-pipewait.patch     |  64 -----
 .../curl/files/curl-7.88.1-silent-parallel.patch   |  20 --
 6 files changed, 556 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3a33df81050e9831d0c058bb1c0e4abc273eb48

commit b3a33df81050e9831d0c058bb1c0e4abc273eb48
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-05-17 07:36:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-17 07:58:21 +0000

    net-misc/curl: drop 7.88.1-r1
    
    Bug: https://bugs.gentoo.org/902801
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/curl-7.88.1-r1.ebuild | 306 ------------------------------------
 1 file changed, 306 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7de0ffe047c4bf430f82a1fa92d06faf66535ed8

commit 7de0ffe047c4bf430f82a1fa92d06faf66535ed8
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-05-17 07:36:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-17 07:58:16 +0000

    net-misc/curl: drop 7.87.0-r2
    
    Bug: https://bugs.gentoo.org/902801
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest                             |   2 -
 net-misc/curl/curl-7.87.0-r2.ebuild                | 302 ---------------------
 .../files/curl-7.87.0-gnutls-openssl-build.patch   |  39 ---
 .../files/curl-7.87.0-typecheck-deprecated.patch   |  48 ----
 net-misc/curl/metadata.xml                         |   1 -
 5 files changed, 392 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2023-10-11 08:41:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3dfe02046c2bc76fb7e910a04702603b72fcb98c

commit 3dfe02046c2bc76fb7e910a04702603b72fcb98c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-11 08:40:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-11 08:41:24 +0000

    [ GLSA 202310-12 ] curl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/887745
    Bug: https://bugs.gentoo.org/894676
    Bug: https://bugs.gentoo.org/902801
    Bug: https://bugs.gentoo.org/906590
    Bug: https://bugs.gentoo.org/910564
    Bug: https://bugs.gentoo.org/914091
    Bug: https://bugs.gentoo.org/915195
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202310-12.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)