curl-7.76.1-23.el9.4

エラータID: AXSA:2023-6515:13

Release date: 
Friday, October 20, 2023 - 01:08
Subject: 
curl-7.76.1-23.el9.4
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

* curl: a heap-based buffer overflow in the SOCKS5 proxy handshake (CVE-2023-38545)
* curl: cookie injection with none file (CVE-2023-38546)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-38545
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-38546
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2023-38545
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
CVE-2023-38546
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
Additional Info: 

N/A

Download: 

SRPMS
  1. curl-7.76.1-23.el9.4.src.rpm
    MD5: 3e9d0dc1e78d26f2140ed11c23d2fd1f
    SHA-256: 17be405729c24aa52976e4d6871b683f9857e85767f0a1e489d9d5dc0a9e7f2a
    Size: 2.41 MB

Asianux Server 9 for x86_64
  1. curl-7.76.1-23.el9.4.x86_64.rpm
    MD5: bc0dac09e992db9b838863fbd27622d1
    SHA-256: 73ac50a9c188c70dbf539e233563c59a583e4c448aceb71ba6fa5abc3f49d63f
    Size: 293.51 kB
  2. curl-minimal-7.76.1-23.el9.4.x86_64.rpm
    MD5: 9a262a2e6871e097236552ef1ed68906
    SHA-256: 2b0d171a367d351875a8015ae2fc5c60409c94541b14fb6785c94fa6700b276b
    Size: 126.38 kB
  3. libcurl-7.76.1-23.el9.4.i686.rpm
    MD5: f2c8e56415ee5fe1305219211e1bdf8e
    SHA-256: 1bd665f7eee775790852f4619ec4cfd3718a1d833c498f297afb7ec3f374c6d3
    Size: 309.37 kB
  4. libcurl-7.76.1-23.el9.4.x86_64.rpm
    MD5: b5cacdfefce21361967ce5f7b6b7a8a2
    SHA-256: 5b1a14e733789bc18f5181f0c2e5a96b778627f9bfff1457b9cc38fab17fad1b
    Size: 282.84 kB
  5. libcurl-devel-7.76.1-23.el9.4.i686.rpm
    MD5: 8f3908d8bdbfa245dfeba0e633e57707
    SHA-256: 322114942ed339056149b40d432799ee2119844199ba6e0fa9054e2bb28000bd
    Size: 848.29 kB
  6. libcurl-devel-7.76.1-23.el9.4.x86_64.rpm
    MD5: 9a494306bd2a1e867f1a6760ccff69c3
    SHA-256: 69e39eba2b7747d894890c44c414184f17e37db6b6eac93052ed668646760191
    Size: 848.24 kB
  7. libcurl-minimal-7.76.1-23.el9.4.i686.rpm
    MD5: b296442f7c1cb3f1dead0894c263e72b
    SHA-256: e8988fcfb4c99c8f84db01ea1b0d63a8bd5116a2ddd07e18df176d24600baf3f
    Size: 244.51 kB
  8. libcurl-minimal-7.76.1-23.el9.4.x86_64.rpm
    MD5: f91eed95955a2153b42128540ec275c6
    SHA-256: ce9c7faeed96fee50bdbfaaabc473c7bd49f1c7ed3fd921b3605ee2e91f2c6f5
    Size: 224.26 kB