From https://daniel.haxx.se/blog/2023/03/20/curl-8-0-0-is-here/: """ Security We disclose six new vulnerabilities today, five of them at severity Low and one of them at Medium. CVE-2023-27533: TELNET option IAC injection curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and “telnet options” for the server negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data. CVE-2023-27534: SFTP path ~ resolving discrepancy curl supports SFTP transfers. curl’s SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user’s home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo. This can be taken advantage of to circumvent filtering or worse. CVE-2023-27535: FTP too eager connection reuse libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level. CVE-2023-27536: GSS delegation too eager connection re-use libcurl would reuse a previously created connection even when the GSS delegation (CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user’s permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers. CVE-2023-27537: HSTS double-free libcurl supports sharing HSTS data between separate “handles”. This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free. CVE-2023-27538: SSH connection too eager reuse still libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bca090841779256251eec23164a715e3356c3f0 commit 3bca090841779256251eec23164a715e3356c3f0 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-03-23 08:51:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-03-23 08:59:13 +0000 net-misc/curl: add 8.0.1 Note that https://github.com/curl/curl/commit/372b95f77f08ae7a64a5bca53cfb342ec5a8adc9 did get fixed in this release, although the warnings in bug 898364 weren't real issues here. Kangie's done a great job of upstreaming various fixes here but is away at the moment so I'm doing the easy bit of just bumping the ebuild. Also sorted dependencies and some other minor tweaks to comments. Bug: https://bugs.gentoo.org/902801 Closes: https://bugs.gentoo.org/879237 Closes: https://bugs.gentoo.org/898364 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/Manifest | 2 + net-misc/curl/curl-8.0.1.ebuild | 316 +++++++++++++++++++++ .../curl/files/curl-8.0.1-onion-resolution.patch | 158 +++++++++++ 3 files changed, 476 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e157923b659d2650cb9eb5a3084d9539f6487b29 commit e157923b659d2650cb9eb5a3084d9539f6487b29 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-05-17 07:51:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-17 07:58:25 +0000 net-misc/curl: drop 7.88.1-r2 Bug: https://bugs.gentoo.org/902801 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Closes: https://github.com/gentoo/gentoo/pull/31074 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/Manifest | 2 - net-misc/curl/curl-7.88.1-r2.ebuild | 307 --------------------- .../files/curl-7.88.1-header-dump-segfault.patch | 29 -- .../curl/files/curl-7.88.1-onion-resolution.patch | 134 --------- net-misc/curl/files/curl-7.88.1-pipewait.patch | 64 ----- .../curl/files/curl-7.88.1-silent-parallel.patch | 20 -- 6 files changed, 556 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3a33df81050e9831d0c058bb1c0e4abc273eb48 commit b3a33df81050e9831d0c058bb1c0e4abc273eb48 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-05-17 07:36:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-17 07:58:21 +0000 net-misc/curl: drop 7.88.1-r1 Bug: https://bugs.gentoo.org/902801 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/curl-7.88.1-r1.ebuild | 306 ------------------------------------ 1 file changed, 306 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7de0ffe047c4bf430f82a1fa92d06faf66535ed8 commit 7de0ffe047c4bf430f82a1fa92d06faf66535ed8 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-05-17 07:36:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-17 07:58:16 +0000 net-misc/curl: drop 7.87.0-r2 Bug: https://bugs.gentoo.org/902801 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/Manifest | 2 - net-misc/curl/curl-7.87.0-r2.ebuild | 302 --------------------- .../files/curl-7.87.0-gnutls-openssl-build.patch | 39 --- .../files/curl-7.87.0-typecheck-deprecated.patch | 48 ---- net-misc/curl/metadata.xml | 1 - 5 files changed, 392 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3dfe02046c2bc76fb7e910a04702603b72fcb98c commit 3dfe02046c2bc76fb7e910a04702603b72fcb98c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-11 08:40:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-11 08:41:24 +0000 [ GLSA 202310-12 ] curl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/887745 Bug: https://bugs.gentoo.org/894676 Bug: https://bugs.gentoo.org/902801 Bug: https://bugs.gentoo.org/906590 Bug: https://bugs.gentoo.org/910564 Bug: https://bugs.gentoo.org/914091 Bug: https://bugs.gentoo.org/915195 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202310-12.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+)