Bug 2301888 (CVE-2024-7264)

Summary: CVE-2024-7264 curl: libcurl: ASN.1 date parser overread
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: achadha, adudiak, antal.nemes, asdas, bdettelb, bmontgom, crizzo, csutherl, dfreiber, doconnor, dpaolell, drow, eparis, gcovolo, jahealy, jburrell, jclere, jdelft, jgamba, jmitchel, jtanner, jupierce, kshier, lgarciaa, mbiarnes, npecka, nstielau, omaciel, pjindal, plodge, security-response-team, sidsharm, sponnaga, stcannon, szappis, talessio, teagle, vchlup, vkumar, vlaad, vrajput, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libcurl, where libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If a syntactically incorrect field is given, the parser can use -1 for the length of the *time fraction*, leading to a `strlen()` performed on a pointer to a heap buffer area that is not purposely NULL terminated.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2309414, 2309415, 2319437    
Bug Blocks:    

Description Patrick Del Bello 2024-07-31 04:36:11 UTC 
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated.

This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when
CURLINFO_CERTINFO (https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.
Comment 1 errata-xmlrpc 2024-10-07 09:24:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.6 for RHEL 8
  Red Hat OpenShift Service Mesh 2.6 for RHEL 9

Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
Comment 4 errata-xmlrpc 2025-02-19 10:27:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:1671 https://access.redhat.com/errata/RHSA-2025:1671
Comment 5 errata-xmlrpc 2025-02-19 11:04:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:1673 https://access.redhat.com/errata/RHSA-2025:1673
Comment 7 antal.nemes 2025-03-27 14:01:25 UTC 
For RedHat Enterprise Linux 8, RHSA-2025:1673 shows only mysql-related packages as updated, but CVE-2024-7264 is a vulnerability in libcurl, so I would expect libcurl and curl to be among the updated packages in this RHSA.

I checked the latest sources in RHEL8 and I do not see libcurl being updated with the upstream patch. Will there be an update for libcurl published for CVE-2024-7264 that includes this fix?
Comment 13 antal.nemes 2026-01-28 09:24:56 UTC 
https://access.redhat.com/security/cve/cve-2024-7264 states:

> Red Hat build of curl uses OpenSSL, which is not included in the affected list of GnuTLS, Schannel, Secure Transport and mbedTLS. Inspect which TLS backend is in use by running:

Can this CVE be marked as "not affected" for RedHat Enterprise Linux 8 and 9.