Bug 2196778 (CVE-2023-28319)

Summary: CVE-2023-28319 curl: use after free in SSH sha256 fingerprint check
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew.slice, bodavis, csutherl, dbhole, jclere, jpazdziora, kanderso, kdudka, lvaleeva, mturk, omajid, peholase, pjindal, plodge, rwagner, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 8.1.0 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Curl package. This flaw risks inserting sensitive heap-based data into the error message that users might see or is otherwise leaked and revealed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-15 21:55:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2207898, 2207896    
Bug Blocks: 2196613    

Description Marian Rehak 2023-05-10 08:32:47 UTC 
libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.
Comment 2 Marian Rehak 2023-05-17 08:57:13 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2207896]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2207898]
Comment 4 Jan Pazdziora 2023-07-25 16:22:28 UTC 
Hello,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE. The CVE page https://access.redhat.com/security/cve/CVE-2023-28319 has Statement

  This vulnerability does not affect the Curl package as shipped in Red Hat Enterprise Linux 6, 7, 8 and 9.

What is the specific reason why RHEL 8 is not affected?

Thank you, Jan
Comment 5 Kamil Dudka 2023-07-25 16:36:49 UTC 
Not that I was asked but it is the same reason that is stated in bug #2207896 comment #2.
Comment 6 Jan Pazdziora 2023-07-25 16:59:56 UTC 
Perfect, thanks Kamil.
Comment 7 errata-xmlrpc 2023-08-15 17:37:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:4628 https://access.redhat.com/errata/RHSA-2023:4628
Comment 8 errata-xmlrpc 2023-08-15 17:40:49 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:4629 https://access.redhat.com/errata/RHSA-2023:4629
Comment 9 Product Security DevOps Team 2023-08-15 21:55:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-28319