Bug 1981438 (CVE-2021-22923)

Summary: CVE-2021-22923 curl: Metalink download sends credentials
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, andrew.slice, anharris, bdettelb, bniver, bodavis, caswilli, csutherl, dbhole, fcanogab, fjansen, flucifre, gkamathe, gmeno, gzaronik, hhorak, hvyas, jclere, jnakfour, jorton, jpazdziora, jwon, kanderso, kaycoth, kdudka, krathod, luhliari, lvaleeva, mbenjamin, mhackett, msekleta, mturk, omajid, paul, pjindal, psegedy, rwagner, security-response-team, sostapov, svashisht, szappis, tomckay, vereddy, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.78.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to gain access to credentials provided while downloading content without the user's knowledge. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-21 18:21:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1982091, 1982092, 1983576, 1983577, 1983578, 1983579, 1983580, 1984326, 2000674    
Bug Blocks: 1981436    

Description Marian Rehak 2021-07-12 14:37:46 UTC 
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
Comment 1 Marian Rehak 2021-07-12 14:38:24 UTC 
This flaw has existed in curl since commit [b5fdbe848bc3d](https://github.com/curl/curl/commit/b5fdbe848bc3d) in curl 7.27.0, released on July 27, 2012.
Comment 7 Marian Rehak 2021-07-21 09:12:07 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1984326]
Comment 13 Tomas Hoger 2021-08-25 14:20:19 UTC 
Upstream advisory:


https://curl.se/docs/CVE-2021-22923.html
Comment 15 Jan Pazdziora 2021-09-02 13:54:31 UTC 
By the way, on Fedora 34 with curl-7.76.1-4.fc34.x86_64, running

curl --metalink 'https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64'

segfault:

$ curl --metalink 'https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64'
Metalink: parsing (https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64) metalink/XML...
Metalink: parsing (https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64) OK
Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml)...

[1/99]: http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml --> repomd.xml
--_curl_--http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml
Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml) OK
Metalink: validating (repomd.xml)...
Metalink: validating (repomd.xml) [sha-256] OK
Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml)...

[2/99]: http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml --> repomd.xml
--_curl_--http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml
Metalink: fetching ((nil)) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml) OK
Metalink: validating (repomd.xml)...
Segmentation fault (core dumped)

Does the metalink feature work at all?
Comment 17 Kamil Dudka 2021-09-03 08:13:11 UTC 
(In reply to Jan Pazdziora from comment #15)
> Does the metalink feature work at all?

Apparently not much on Fedora but the same command runs cleanly under valgrind on RHEL-8.
Comment 18 errata-xmlrpc 2021-09-21 08:40:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3582 https://access.redhat.com/errata/RHSA-2021:3582
Comment 19 Product Security DevOps Team 2021-09-21 18:21:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22923
Comment 21 errata-xmlrpc 2021-10-19 07:02:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3903 https://access.redhat.com/errata/RHSA-2021:3903