curl-7.76.1-23.el9.4
エラータID: AXSA:2023-6515:13
リリース日:
2023/10/20 Friday - 01:08
題名:
curl-7.76.1-23.el9.4
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Curl には、ヒープ領域のバッファーオーバーフローの問題があるため、
リモートの攻撃者により、任意のコードの実行、および特定できない
影響を受ける攻撃を可能とする脆弱性が存在します。(CVE-2023-38545)
- libcurl の curl_easy_duphandle() 関数には、固定の名称を持つファイル
に対して Cookie 情報の保存や読み取りを行ってしまう問題があるため、
リモートの攻撃者により、特定の状況下での転送ハンドルの複製を介して、
Cookie 情報の漏洩を可能とする脆弱性が存在します。(CVE-2023-38546)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-38545
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
CVE-2023-38546
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
追加情報:
N/A
ダウンロード:
SRPMS
- curl-7.76.1-23.el9.4.src.rpm
MD5: 3e9d0dc1e78d26f2140ed11c23d2fd1f
SHA-256: 17be405729c24aa52976e4d6871b683f9857e85767f0a1e489d9d5dc0a9e7f2a
Size: 2.41 MB
Asianux Server 9 for x86_64
- curl-7.76.1-23.el9.4.x86_64.rpm
MD5: bc0dac09e992db9b838863fbd27622d1
SHA-256: 73ac50a9c188c70dbf539e233563c59a583e4c448aceb71ba6fa5abc3f49d63f
Size: 293.51 kB - curl-minimal-7.76.1-23.el9.4.x86_64.rpm
MD5: 9a262a2e6871e097236552ef1ed68906
SHA-256: 2b0d171a367d351875a8015ae2fc5c60409c94541b14fb6785c94fa6700b276b
Size: 126.38 kB - libcurl-7.76.1-23.el9.4.i686.rpm
MD5: f2c8e56415ee5fe1305219211e1bdf8e
SHA-256: 1bd665f7eee775790852f4619ec4cfd3718a1d833c498f297afb7ec3f374c6d3
Size: 309.37 kB - libcurl-7.76.1-23.el9.4.x86_64.rpm
MD5: b5cacdfefce21361967ce5f7b6b7a8a2
SHA-256: 5b1a14e733789bc18f5181f0c2e5a96b778627f9bfff1457b9cc38fab17fad1b
Size: 282.84 kB - libcurl-devel-7.76.1-23.el9.4.i686.rpm
MD5: 8f3908d8bdbfa245dfeba0e633e57707
SHA-256: 322114942ed339056149b40d432799ee2119844199ba6e0fa9054e2bb28000bd
Size: 848.29 kB - libcurl-devel-7.76.1-23.el9.4.x86_64.rpm
MD5: 9a494306bd2a1e867f1a6760ccff69c3
SHA-256: 69e39eba2b7747d894890c44c414184f17e37db6b6eac93052ed668646760191
Size: 848.24 kB - libcurl-minimal-7.76.1-23.el9.4.i686.rpm
MD5: b296442f7c1cb3f1dead0894c263e72b
SHA-256: e8988fcfb4c99c8f84db01ea1b0d63a8bd5116a2ddd07e18df176d24600baf3f
Size: 244.51 kB - libcurl-minimal-7.76.1-23.el9.4.x86_64.rpm
MD5: f91eed95955a2153b42128540ec275c6
SHA-256: ce9c7faeed96fee50bdbfaaabc473c7bd49f1c7ed3fd921b3605ee2e91f2c6f5
Size: 224.26 kB