Bug 2252034 (CVE-2023-46219)

Summary: CVE-2023-46219 curl: excessively long file name may lead to unknown HSTS status
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, csutherl, ehelms, jclere, jsherril, lzap, mhulan, mturk, nmoumoul, orabin, pcreech, peholase, pjindal, plodge, rchan, security-response-team, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 8.5.0 Doc Type: If docs needed, set a value
Doc Text:
A security bypass flaw was found in Curl, which can be triggered by saving HSTS data to an excessively long file name. This issue occurs due to an error in handling HSTS long file names, leading to the removal of all contents from the file during the save process, and may allow a remote attacker to send a specially crafted request to use files without awareness of the HSTS status and enable a Man-in-the-Middle (MitM) attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2254386, 2253143    
Bug Blocks: 2252024    

Description Marian Rehak 2023-11-29 06:18:05 UTC 
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. The reason for this bug is that save function appended a suffix to the file name, created a temporary file and then in the last step renamed that to the final name. When the file name length was close to the limit of what is allowed on the file system, adding the extension would make it too long and then trigger this bug.
Comment 1 Pedro Sampaio 2023-12-06 09:40:10 UTC 
This is public now:

https://seclists.org/oss-sec/2023/q4/262
https://daniel.haxx.se/blog/2023/12/06/curl-8-5-0/
Comment 2 Pedro Sampaio 2023-12-06 09:40:28 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2253143]
Comment 5 errata-xmlrpc 2024-03-18 16:22:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317
Comment 6 errata-xmlrpc 2024-03-18 16:34:03 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:1316 https://access.redhat.com/errata/RHSA-2024:1316