Bug 2001527 (CVE-2021-22945)

Summary: CVE-2021-22945 curl: use-after-free and double-free in MQTT sending
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, andrew.slice, anharris, bdettelb, bniver, bodavis, caswilli, csutherl, dbhole, fjansen, flucifre, gkamathe, gmeno, gzaronik, hhorak, hvyas, jclere, jorton, jwong, jwon, kanderso, kaycoth, kdudka, krathod, luhliari, lvaleeva, mbenjamin, mhackett, msekleta, mturk, omajid, paul, pjindal, psegedy, rwagner, security-response-team, sostapov, svashisht, szappis, vereddy, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl-7.79.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libcurl. When sending data to an MQTT server could in some situations lead to libcurl using already freed memory and then try to free it again. The highest threat from this vulnerability is to data confidentiality as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 13:16:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2001541, 2004362, 2004647    
Bug Blocks: 2001529    

Description Dhananjay Arunesh 2021-09-06 10:02:37 UTC 
When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.
Comment 5 gkamathe 2021-09-15 06:27:18 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2004362]
Comment 7 ayambast 2021-09-28 06:47:16 UTC 
Marking dotnetv3.1 as NOT affected and closing its tracker as it uses curl v7.61 that isn't affected by this CVE.
Comment 9 Product Security DevOps Team 2022-05-17 13:16:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22945