Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1362199 - (CVE-2016-5421) CVE-2016-5421 curl: Use of connection struct after free
CVE-2016-5421 curl: Use of connection struct after free
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160803,repor...
: Security
Depends On: 1363644 1363642 1363643
Blocks: 1362200
  Show dependency treegraph
 
Reported: 2016-08-01 09:51 EDT by Adam Mariš
Modified: 2018-01-10 07:04 EST (History)
33 users (show)

See Also:
Fixed In Version: curl 7.50.1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 04:13:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2016-08-01 09:51:21 EDT 
A use-after-free vulnerability in libcurl was found. libcurl works with easy handles using the type 'CURL *' that are objects the application creates using curl_easy_init(). They are the handles that are all each associated with a single transfer at a time. libcurl also has an internal struct that represents and holds most state that is related to a single connection. An easy handle can hold references to one or many such connection structs depending on the requested operations.

When using libcurl's multi interface, an application performs transfers by adding one or more easy handles to the multi handle and then it can drive all those transfers in parallel.

Due to a flaw, libcurl could leave a pointer to a freed connection struct dangling in an easy handle that was previously added to a multi handle when curl_multi_cleanup() is called with an easy handle still added to it. This does not seem to cause any notable harm if the handle is then closed properly.

However, if the easy handle would instead get used again with the easy interface and curl_easy_perform() to do another transfer, it would blindly use the connection struct pointer now pointing to freed memory.

An application could be made to allocate its own fake version of the connect struct, fill in some data and then have the curl_easy_perform() call do something that clearly was not intended by the original code.

External Reference:

https://curl.haxx.se/docs/adv_20160803C.html
Comment 1 Adam Mariš 2016-08-03 05:25:16 EDT 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1363642]
Comment 2 Adam Mariš 2016-08-03 05:25:26 EDT 
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1363643]
Affects: epel-7 [bug 1363644]
Comment 3 Fedora Update System 2016-08-05 16:52:19 EDT 
curl-7.47.1-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2016-08-16 18:20:54 EDT 
curl-7.43.0-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.