Bug 1981438 (CVE-2021-22923)
Summary: | CVE-2021-22923 curl: Metalink download sends credentials | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, andrew.slice, anharris, bdettelb, bniver, bodavis, caswilli, csutherl, dbhole, fcanogab, fjansen, flucifre, gkamathe, gmeno, gzaronik, hhorak, hvyas, jclere, jnakfour, jorton, jpazdziora, jwon, kanderso, kaycoth, kdudka, krathod, luhliari, lvaleeva, mbenjamin, mhackett, msekleta, mturk, omajid, paul, pjindal, psegedy, rwagner, security-response-team, sostapov, svashisht, szappis, tomckay, vereddy, vmugicag |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.78.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to gain access to credentials provided while downloading content without the user's knowledge. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-09-21 18:21:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1982091, 1982092, 1983576, 1983577, 1983578, 1983579, 1983580, 1984326, 2000674 | ||
Bug Blocks: | 1981436 |
Description
Marian Rehak
2021-07-12 14:37:46 UTC
This flaw has existed in curl since commit [b5fdbe848bc3d](https://github.com/curl/curl/commit/b5fdbe848bc3d) in curl 7.27.0, released on July 27, 2012. Created curl tracking bugs for this issue: Affects: fedora-all [bug 1984326] Upstream advisory: https://curl.se/docs/CVE-2021-22923.html By the way, on Fedora 34 with curl-7.76.1-4.fc34.x86_64, running curl --metalink 'https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64' segfault: $ curl --metalink 'https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64' Metalink: parsing (https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64) metalink/XML... Metalink: parsing (https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64) OK Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml)... [1/99]: http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml --> repomd.xml --_curl_--http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml) OK Metalink: validating (repomd.xml)... Metalink: validating (repomd.xml) [sha-256] OK Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml)... [2/99]: http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml --> repomd.xml --_curl_--http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml Metalink: fetching ((nil)) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml) OK Metalink: validating (repomd.xml)... Segmentation fault (core dumped) Does the metalink feature work at all? (In reply to Jan Pazdziora from comment #15) > Does the metalink feature work at all? Apparently not much on Fedora but the same command runs cleanly under valgrind on RHEL-8. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3582 https://access.redhat.com/errata/RHSA-2021:3582 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22923 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3903 https://access.redhat.com/errata/RHSA-2021:3903 |