Bug 2179097 (CVE-2023-27537)

Summary: CVE-2023-27537 curl: HSTS double-free
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andrew.slice, bodavis, csutherl, dbhole, jclere, kanderso, kdudka, lvaleeva, mturk, omajid, peholase, pjindal, plodge, rwagner, security-response-team, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 8.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-21 17:30:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2178228    

Description Marian Rehak 2023-03-16 16:01:19 UTC 
libcurl supports sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

INFO
----

This feature was not implemented to support sharing between threads. That is still left for future improvements. The fix for this issue is therefore a documentation update clarifying that sharing HSTS between threads is not expected to work.
Comment 1 Product Security DevOps Team 2023-03-21 17:30:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-27537