Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1053270: bullseye-pu: package curl/7.74.0-1.3+deb11u9
30 views
Skip to first unread message
Carlos Henrique Lima Melara
Sep 30, 2023, 9:00:04 AM9/30/23
to
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cu...@packages.debian.org, charle...@riseup.net
Control: affects -1 + src:curl
[ Reason ]
Vulnerabilities were discovered and reported to Curl upstream [1][2] with the
following CVE IDs:
- CVE-2023-28321
- CVE-2023-28322
The description of the CVE-2023-28321 is:
> An improper certificate validation vulnerability exists in curl
> <v8.1.0 in the way it supports matching of wildcard patterns when
> listed as "Subject Alternative Name" in TLS server certificates. curl
> can be built to use its own name matching function for TLS rather than
> one provided by a TLS library. This private wildcard matching function
> would match IDN (International Domain Name) hosts incorrectly and
> could as a result accept patterns that otherwise should mismatch. IDN
> hostnames are converted to puny code before used for certificate
> checks. Puny coded names always start with `xn--` and should not be
> allowed to pattern match, but the wildcard check in curl could still
> check for `x*`, which would match even though the IDN name most likely
> contained nothing even resembling an `x`.
And the description of the CVE-2023-28322 is:
> An information disclosure vulnerability exists in curl <v8.1.0 when
> doing HTTP(S) transfers, libcurl might erroneously use the read
> callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when
> the `CURLOPT_POSTFIELDS` option has been set, if the same handle
> previously wasused to issue a `PUT` request which used that callback.
> This flaw may surprise the application and cause it to misbehave and
> either send off the wrong data or use memory after free or similar in
> the second transfer. The problem exists in the logic for a reused
> handle when it is (expected to be) changed from a PUT to a POST.
This proposed update is meant to fix those vulnerabilities.
[ Impact ]
As the vulnerabilities are present in bullseye's curl code, they can be
exploited by malicious actors.
[ Tests ]
Automatic tests were executed (from the curl test suite) during build
time. Everything passed after the changes were introduced.
I also conducted a test to see if the CVE-2023-28321 was fixed. In order
to do so, I've followed the report's reproduction steps [3] and tested in a
bullseye container. The default bullseye curl version is vulnerable, but
this new one is not. Unfortunately the PoC of CVE-2023-28322 was crafted
using a newer version of libcurl, so I wasn't able to validate the fix
of the backported patch.
Also, note the fix for CVE-2023-28321 comes from CentOS and is already
available there.
[ Risks ]
The changes for weren't big because the delta between bullseye's version and
current upstream are not that large (true for CVE-2023-28322). Though
they exist so I did a backport of the patch (obviously there is a
chance of introducing bugs here, but we are using the tests to spot it).
Also, the fix for CVE-2023-28321 is new code based on the fix applied in curl
8.1.0 done by a Red Hat engineer. So, new bugs could have been
introduced.
I reviewed this fix and samueloph reviewed everything (both fixes and
packaging).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Here is a list of the commits applied to this pu release:
commit a1190a634dcca9a85f8217c71b1073825885a16e
Author: Carlos Henrique Lima Melara <charle...@riseup.net>
Date: Sun Sep 10 15:29:53 2023 +0530
Finalize changelog for 7.74.0-1.3+deb11u9 bullseye upload
commit 39155aa17df39693c2f21ef5dbb0ddf11568256f
Author: Carlos Henrique Lima Melara <charle...@riseup.net>
Date: Fri Sep 8 19:00:25 2023 +0530
d/p/CVE-2023-28322.patch: backport patch
commit 156409a45db1c739edece8fd3b3d4d78d09c82ae
Author: Carlos Henrique Lima Melara <charle...@riseup.net>
Date: Sun Aug 13 11:01:11 2023 -0300
Import 2 new patches fixing CVES
One comes from upstream and another from CentOS.
CVE-2023-28321
CVE-2023-28322
[ Other info ]
Links:
[1] https://security-tracker.debian.org/tracker/CVE-2023-28321
[2] https://security-tracker.debian.org/tracker/CVE-2023-28322
[3] https://hackerone.com/reports/1950627
Cheers,
Charles
Severity: normal
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cu...@packages.debian.org, charle...@riseup.net
Control: affects -1 + src:curl
[ Reason ]
Vulnerabilities were discovered and reported to Curl upstream [1][2] with the
following CVE IDs:
- CVE-2023-28321
- CVE-2023-28322
The description of the CVE-2023-28321 is:
> An improper certificate validation vulnerability exists in curl
> <v8.1.0 in the way it supports matching of wildcard patterns when
> listed as "Subject Alternative Name" in TLS server certificates. curl
> can be built to use its own name matching function for TLS rather than
> one provided by a TLS library. This private wildcard matching function
> would match IDN (International Domain Name) hosts incorrectly and
> could as a result accept patterns that otherwise should mismatch. IDN
> hostnames are converted to puny code before used for certificate
> checks. Puny coded names always start with `xn--` and should not be
> allowed to pattern match, but the wildcard check in curl could still
> check for `x*`, which would match even though the IDN name most likely
> contained nothing even resembling an `x`.
And the description of the CVE-2023-28322 is:
> An information disclosure vulnerability exists in curl <v8.1.0 when
> doing HTTP(S) transfers, libcurl might erroneously use the read
> callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when
> the `CURLOPT_POSTFIELDS` option has been set, if the same handle
> previously wasused to issue a `PUT` request which used that callback.
> This flaw may surprise the application and cause it to misbehave and
> either send off the wrong data or use memory after free or similar in
> the second transfer. The problem exists in the logic for a reused
> handle when it is (expected to be) changed from a PUT to a POST.
This proposed update is meant to fix those vulnerabilities.
[ Impact ]
As the vulnerabilities are present in bullseye's curl code, they can be
exploited by malicious actors.
[ Tests ]
Automatic tests were executed (from the curl test suite) during build
time. Everything passed after the changes were introduced.
I also conducted a test to see if the CVE-2023-28321 was fixed. In order
to do so, I've followed the report's reproduction steps [3] and tested in a
bullseye container. The default bullseye curl version is vulnerable, but
this new one is not. Unfortunately the PoC of CVE-2023-28322 was crafted
using a newer version of libcurl, so I wasn't able to validate the fix
of the backported patch.
Also, note the fix for CVE-2023-28321 comes from CentOS and is already
available there.
[ Risks ]
The changes for weren't big because the delta between bullseye's version and
current upstream are not that large (true for CVE-2023-28322). Though
they exist so I did a backport of the patch (obviously there is a
chance of introducing bugs here, but we are using the tests to spot it).
Also, the fix for CVE-2023-28321 is new code based on the fix applied in curl
8.1.0 done by a Red Hat engineer. So, new bugs could have been
introduced.
I reviewed this fix and samueloph reviewed everything (both fixes and
packaging).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Here is a list of the commits applied to this pu release:
commit a1190a634dcca9a85f8217c71b1073825885a16e
Author: Carlos Henrique Lima Melara <charle...@riseup.net>
Date: Sun Sep 10 15:29:53 2023 +0530
Finalize changelog for 7.74.0-1.3+deb11u9 bullseye upload
commit 39155aa17df39693c2f21ef5dbb0ddf11568256f
Author: Carlos Henrique Lima Melara <charle...@riseup.net>
Date: Fri Sep 8 19:00:25 2023 +0530
d/p/CVE-2023-28322.patch: backport patch
commit 156409a45db1c739edece8fd3b3d4d78d09c82ae
Author: Carlos Henrique Lima Melara <charle...@riseup.net>
Date: Sun Aug 13 11:01:11 2023 -0300
Import 2 new patches fixing CVES
One comes from upstream and another from CentOS.
CVE-2023-28321
CVE-2023-28322
[ Other info ]
Links:
[1] https://security-tracker.debian.org/tracker/CVE-2023-28321
[2] https://security-tracker.debian.org/tracker/CVE-2023-28322
[3] https://hackerone.com/reports/1950627
Cheers,
Charles
Adam D. Barratt
Sep 30, 2023, 1:10:04 PM9/30/23
to
Control: tags -1 confirmed
On Sat, 2023-09-30 at 20:46 +0800, Carlos Henrique Lima Melara wrote:
> Vulnerabilities were discovered and reported to Curl upstream [1][2]
> with the
> following CVE IDs:
>
> - CVE-2023-28321
> - CVE-2023-28322
>
Please go ahead.
Regards,
Adam
On Sat, 2023-09-30 at 20:46 +0800, Carlos Henrique Lima Melara wrote:
> Vulnerabilities were discovered and reported to Curl upstream [1][2]
> with the
> following CVE IDs:
>
> - CVE-2023-28321
> - CVE-2023-28322
>
Regards,
Adam
Adam D Barratt
Oct 1, 2023, 3:00:07 PM10/1/23
to
package release.debian.org
tags 1053270 = bullseye pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: curl
Version: 7.74.0-1.3+deb11u9
Explanation: fix improper certificate validation issue [CVE-2023-28321], information disclosure issue [CVE-2023-28322]
tags 1053270 = bullseye pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: curl
Version: 7.74.0-1.3+deb11u9
Explanation: fix improper certificate validation issue [CVE-2023-28321], information disclosure issue [CVE-2023-28322]
0 new messages