curl-7.76.1-26.el9.2
エラータID: AXSA:2023-6965:14
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
* curl: a heap-based buffer overflow in the SOCKS5 proxy handshake (CVE-2023-38545)
* curl: cookie injection with none file (CVE-2023-38546)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2023-38545
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
CVE-2023-38546
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
Update packages.
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.
N/A
SRPMS
- curl-7.76.1-26.el9.2.src.rpm
MD5: 36e499b4810b84cbfc053be779a4360d
SHA-256: 1362386b6b7b6de263d2bf4df0931681c6dc9a6aad531deb3a1bc49d1fc5607f
Size: 2.42 MB
Asianux Server 9 for x86_64
- curl-7.76.1-26.el9.2.x86_64.rpm
MD5: 5b9fbc790e8b2e6ba8477eb13e70fe12
SHA-256: e6fdf770eb300e4f90ee8c3aaa750f959c9873bc6c0797f17de0eddeae0d5c28
Size: 293.66 kB - curl-minimal-7.76.1-26.el9.2.x86_64.rpm
MD5: 7523acc41f3e9cd8d42016e8646fd990
SHA-256: 122fc671741dabadb1f2849ca399a7df5aa7519caf94e5b3919204602176088c
Size: 126.55 kB - libcurl-7.76.1-26.el9.2.i686.rpm
MD5: 9f907e18ef8d684bdc652014e0818518
SHA-256: 10f026c3d791c68edef05a1fe7320d2c9c4b3b14830a8cc20345ddfa89cb4647
Size: 309.62 kB - libcurl-7.76.1-26.el9.2.x86_64.rpm
MD5: e539494ad357d24cf259cf5262830166
SHA-256: 96c2fe90059a6cd8bfd66b7d9080f51a350dec1cf62146c9c8c208af0ad3faee
Size: 283.16 kB - libcurl-devel-7.76.1-26.el9.2.i686.rpm
MD5: 14420dd7fb29da9b82dfe0c23b66cab3
SHA-256: 7b2712db7f2e5900e799c69cceece8b79802da27d6cbb08ad304f734c91f9238
Size: 848.38 kB - libcurl-devel-7.76.1-26.el9.2.x86_64.rpm
MD5: a63e66e1337b1963053e3ff15b9d5c08
SHA-256: aa38ddf8b1c916c903dd4b96c1f44be8075b2b4d75f3370e162452e1312b8da0
Size: 848.37 kB - libcurl-minimal-7.76.1-26.el9.2.i686.rpm
MD5: a4d78b3a7427bf76fd00d699642e9875
SHA-256: 06259364bedb1292812c9ea09d55b6fc76ad7136f1f56815b4fc9cf979e53d1a
Size: 244.62 kB - libcurl-minimal-7.76.1-26.el9.2.x86_64.rpm
MD5: 187cf39fc8950e95ad39ac44ced21743
SHA-256: 3a77810187f255c63f3e0d50bfe8d2b602a4ebd439fcb7662c932bc9ec67e4f7
Size: 224.39 kB
日本語