An update for curl is now available for openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2023-1194
Final
1.0
1.0
2023-03-31
Initial
2023-03-31
2023-03-31
openEuler SA Tool V1.0
2023-03-31
curl security update
An update for curl is now available for openEuler-20.03-LTS-SP1.
cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.
Security Fix(es):
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERNATIVE_TO_USER`, `CURLOPT_FTP_SSL_CCC` and `CURLOPT_USE_SSL` level.(CVE-2023-27535)
libcurl would reuse a previously created connection even when the GSS delegation (`CURLOPT_GSSAPI_DELEGATION`) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.(CVE-2023-27536)
curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and "telnet options" for the server
negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.(CVE-2023-27533)
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (`~`) character as the first
path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the [once proposed
to-become RFC draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04) that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like `/~2/foo` when accessing a server using the user `dan` (with home directory `/home/dan`) would then quite suprisingly access the file `/home/dan2/foo`. This can be taken advantage of to circumvent filtering or worse.(CVE-2023-27534)
libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2023-27538)
An update for curl is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Medium
curl
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1194
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27535
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27536
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27533
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27534
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27538
https://nvd.nist.gov/vuln/detail/CVE-2023-27535
https://nvd.nist.gov/vuln/detail/CVE-2023-27536
https://nvd.nist.gov/vuln/detail/CVE-2023-27533
https://nvd.nist.gov/vuln/detail/CVE-2023-27534
https://nvd.nist.gov/vuln/detail/CVE-2023-27538
openEuler-20.03-LTS-SP1
curl-7.71.1-24.oe1.aarch64.rpm
libcurl-7.71.1-24.oe1.aarch64.rpm
curl-debugsource-7.71.1-24.oe1.aarch64.rpm
curl-debuginfo-7.71.1-24.oe1.aarch64.rpm
libcurl-devel-7.71.1-24.oe1.aarch64.rpm
curl-help-7.71.1-24.oe1.noarch.rpm
curl-7.71.1-24.oe1.src.rpm
curl-debugsource-7.71.1-24.oe1.x86_64.rpm
curl-7.71.1-24.oe1.x86_64.rpm
curl-debuginfo-7.71.1-24.oe1.x86_64.rpm
libcurl-7.71.1-24.oe1.x86_64.rpm
libcurl-devel-7.71.1-24.oe1.x86_64.rpm
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
2023-03-31
CVE-2023-27535
openEuler-20.03-LTS-SP1
Medium
5.8
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
curl security update
2023-03-31
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1194
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
2023-03-31
CVE-2023-27536
openEuler-20.03-LTS-SP1
Medium
5.8
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
curl security update
2023-03-31
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1194
A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.
2023-03-31
CVE-2023-27533
openEuler-20.03-LTS-SP1
Medium
4.5
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
curl security update
2023-03-31
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1194
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
2023-03-31
CVE-2023-27534
openEuler-20.03-LTS-SP1
Medium
4.5
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
curl security update
2023-03-31
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1194
libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.
2023-03-31
CVE-2023-27538
openEuler-20.03-LTS-SP1
Medium
5.8
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
curl security update
2023-03-31
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1194