Bug 2196793 (CVE-2023-28322)

Summary: CVE-2023-28322 curl: more POST-after-PUT confusion
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andrew.slice, bodavis, csutherl, dbhole, ggasparb, jclere, kdudka, omajid, peholase, pjindal, plodge, sbroz, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 8.1.0 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Curl package. This issue may lead to unintended information disclosure by the application.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2203903, 2203904, 2209338, 2209339, 2227754, 2227755, 2233493, 2233494    
Bug Blocks: 2196613    

Description Marian Rehak 2023-05-10 09:05:19 UTC 
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
Comment 2 Marian Rehak 2023-05-23 14:26:40 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2209338]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2209339]
Comment 4 Jan Pazdziora (Red Hat) 2023-07-25 16:06:39 UTC 
Hello,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE. The CVE page https://access.redhat.com/security/cve/CVE-2023-28322 has Statement

  This vulnerability does not affect the Curl package as shipped in Red Hat Enterprise Linux 6, 7 and 8.

What is the specific reason why RHEL 8 is not affected?

Thank you, Jan
Comment 6 errata-xmlrpc 2023-08-01 08:49:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4354 https://access.redhat.com/errata/RHSA-2023:4354
Comment 7 errata-xmlrpc 2023-08-15 17:37:19 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:4628 https://access.redhat.com/errata/RHSA-2023:4628
Comment 8 errata-xmlrpc 2023-08-15 17:40:52 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:4629 https://access.redhat.com/errata/RHSA-2023:4629
Comment 10 errata-xmlrpc 2023-10-10 15:24:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5598 https://access.redhat.com/errata/RHSA-2023:5598
Comment 13 errata-xmlrpc 2024-01-24 16:49:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0428 https://access.redhat.com/errata/RHSA-2024:0428
Comment 14 errata-xmlrpc 2024-01-30 13:24:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0585 https://access.redhat.com/errata/RHSA-2024:0585
Comment 16 errata-xmlrpc 2024-04-02 15:54:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1601 https://access.redhat.com/errata/RHSA-2024:1601