When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
This flaw has existed in curl since commit [b5fdbe848bc3d](https://github.com/curl/curl/commit/b5fdbe848bc3d) in curl 7.27.0, released on July 27, 2012.
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1984326]
Upstream advisory: https://curl.se/docs/CVE-2021-22923.html
By the way, on Fedora 34 with curl-7.76.1-4.fc34.x86_64, running curl --metalink 'https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64' segfault: $ curl --metalink 'https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64' Metalink: parsing (https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64) metalink/XML... Metalink: parsing (https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64) OK Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml)... [1/99]: http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml --> repomd.xml --_curl_--http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml) OK Metalink: validating (repomd.xml)... Metalink: validating (repomd.xml) [sha-256] OK Metalink: fetching (repomd.xml) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml)... [2/99]: http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml --> repomd.xml --_curl_--http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml Metalink: fetching ((nil)) from (http://mirror.karneval.cz/pub/linux/fedora/linux/releases/34/Everything/x86_64/os/repodata/repomd.xml) OK Metalink: validating (repomd.xml)... Segmentation fault (core dumped) Does the metalink feature work at all?
(In reply to Jan Pazdziora from comment #15) > Does the metalink feature work at all? Apparently not much on Fedora but the same command runs cleanly under valgrind on RHEL-8.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3582 https://access.redhat.com/errata/RHSA-2021:3582
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22923
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3903 https://access.redhat.com/errata/RHSA-2021:3903