RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2005874 - Limit protocols supported by (lib)curl-minimal for security hardening
Summary: Limit protocols supported by (lib)curl-minimal for security hardening
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: curl
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Daniel Rusek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-20 11:43 UTC by Jan Pazdziora
Modified: 2023-01-07 13:50 UTC (History)
3 users (show)

Fixed In Version: curl-7.76.1-14.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 15:47:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-97624 0 None None None 2021-09-20 11:44:36 UTC
Red Hat Product Errata RHBA-2022:3909 0 None None None 2022-05-17 15:48:08 UTC

Description Jan Pazdziora 2021-09-20 11:43:40 UTC 
Description of problem:

The libcurl-minimal and curl-minimal subpackages were initially proposed in Fedora via https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/MRSR5MB77LMUVX5HBMMD3AS4TTUEJ4XQ/ as a way to limit package dependency set. 

Limited protocol support has another potential benefit -- limited vulnerability exposure in case there is a CVE in curl in some of the rarer protocols. Looking at the list https://curl.se/docs/security.html, curl is not short of vulnerabilities, so having a means of minimizing compiled-in protocol set seems beneficial for example for security certifications and hardened production deployments.

Looking at curl-minimal-7.76.1-11.el9.x86_64 output of

# curl --version
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.0.0 zlib/1.2.11 nghttp2/1.43.0
Release-Date: 2021-04-14
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets

there are protocols like gopher* that likely don't have a wide user base, telnet which is great for debugging but likely not for production, tftp which again is useful for debugging but in production will likely be run from firmware or some other way, and some others that could be removed. Note that users can still use the non-minimal variants of the package to get the protocols they desire.

For comparison, the "full" curl reports

# curl --version
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.0.0 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.9.5/openssl/zlib nghttp2/1.43.0
Release-Date: 2021-04-14
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

so protocol-wise, ldap*, scp, and sftp is what is currently removed from curl-minimal.

In the order of (subjective) priority, the following protocols could be further removed from curl-minimal:

gopher and gophers
telnet
dict
rtsp
tftp
mqtt
ldap ldaps
imap imaps pop3 pop3s smtp smtps  (in case email handling is not deemed critical)
ftp ftps smb smbs                 (which leaves just the "web" protocols of file and http*)

Version-Release number of selected component (if applicable):

curl-minimal-7.76.1-11.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install (or swap) curl-minimal and libcurl-minimal
2. Run curl --version

Actual results:

# curl --version
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.0.0 zlib/1.2.11 nghttp2/1.43.0
Release-Date: 2021-04-14
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets

Expected results:

In the order of preference, gopher*, telnet, dict, rtsp, tftp, mqtt, ldap*, and others are not present.

Additional info:
Comment 1 Jan Pazdziora 2021-09-20 11:46:19 UTC 
As for Features, GSS-API, SPNEGO, Kerberos, HTTP2, IDN, IPv6, Largefile, and SSL (in case that means TLS and not SSL) should likely stay.
Comment 2 Kamil Dudka 2021-09-20 13:50:07 UTC 
The proposal makes sense to me.  I am not sure about FTP though.  The protocol still seems to be used.  Approximately 30% users of upstream curl claim to use FTP, according to the following survey (see page 9):

    https://daniel.haxx.se/media/curl-user-poll-2020-analysis.pdf

We can try removing it from curl-minimal anyway.  However, if more people upgrade to libcurl-full because of FTP, it will make this change less effective.
Comment 3 Kamil Dudka 2021-09-20 15:48:08 UTC 
I have prepared a Fedora pull request (so far with FTP kept):

    https://src.fedoraproject.org/rpms/curl/pull-request/10

... and Fedora COPR based on the above pull request:

    https://copr.fedorainfracloud.org/coprs/kdudka/curl-minimal/

Some feedback would be appreciated.
Comment 4 Jan Pazdziora 2021-09-29 11:48:37 UTC 
I gave it a try on Fedora 34 after doing

( cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/kdudka/curl-minimal/repo/fedora-34/kdudka-curl-minimal-fedora-34.repo )
dnf install -y --setopt=install_weak_deps=False --allowerasing libcurl-minimal.$( rpm --eval '%{_arch}' ) curl-minimal.$( rpm --eval '%{_arch}' )

which gave me

libcurl-minimal-7.79.0-5.fc34.x86_64
curl-minimal-7.79.0-5.fc34.x86_64

and it works as expected.

The protocols reported are

# curl --version
curl 7.79.0 (x86_64-redhat-linux-gnu) libcurl/7.79.0 OpenSSL/1.1.1l-fips zlib/1.2.11 nghttp2/1.43.0
Release-Date: 2021-09-15
Protocols: file ftp ftps http https 
Features: alt-svc AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz SPNEGO SSL UnixSockets
Comment 5 Kamil Dudka 2021-10-04 09:03:48 UTC 
Thank you for testing it!  I went ahead and put the change to curl-7.79.1-2.fc36:

https://src.fedoraproject.org/rpms/curl/c/c2f61abc1cb764ad2cbf865d4e61da84c55a8183?branch=rawhide
https://src.fedoraproject.org/rpms/curl/c/54117120e4ddaabc1d456a8857552625bffa81b9?branch=rawhide
https://src.fedoraproject.org/rpms/curl/c/5ebead952bed4dce9ceefb8fc307b168b9154ad6?branch=rawhide
https://src.fedoraproject.org/rpms/curl/c/d4c5b54bf3629397059785612bf16cb2e63999c9?branch=rawhide
Comment 7 James Cassell 2021-10-19 01:54:44 UTC 
Probably worth keeping hsts since it's a security feature.
Comment 8 Kamil Dudka 2021-10-19 08:32:27 UTC 
I have no strong opinion about HSTS.  Most users will not use it because the feature needs to be explicitly enabled at run-time.  PSL is also a security feature and we do not want it in libcurl-minimal, although PSL implies a big chain of run-time dependencies, unlike HSTS.

Jan, what do you think about HSTS?  Should we put it back to libcurl-minimal in Fedora?

I am not sure about RHEL though.  The feature was considered experimental by curl upstream not so long ago:

    https://github.com/curl/curl/pull/6700
Comment 9 Kamil Dudka 2021-10-19 08:45:19 UTC 
Anyway, thank you for pointing it out!  Now I see that the fix for this bug enabled HSTS in libcurl-full in RHEL-9 as a side effect (unlike in Fedora, where it had already been enabled).
Comment 10 Jan Pazdziora 2021-10-19 10:02:42 UTC 
I'm confused -- I don't see HSTS listed on the --version output of the full curl either. Is that currently not present in either, or present in the non-minimal curl, just not advertized?

Where does curl store the information that the server returned Strict-Transport-Security before? Is it persisted somewhere, or just kept in runtime memory?
Comment 11 Kamil Dudka 2021-10-19 10:58:24 UTC 
(In reply to Jan Pazdziora from comment #10)
> I'm confused -- I don't see HSTS listed on the --version output of the full
> curl either. Is that currently not present in either, or present in the
> non-minimal curl, just not advertized?

Which build of curl did you try it with?

curl-7.76.1-12.el9 has HSTS disabled for both the variants.

curl-7.76.1-13.el9 has HSTS enabled in libcurl-full only (more or less unintentionally, see comment #9).

> Where does curl store the information that the server returned
> Strict-Transport-Security before? Is it persisted somewhere, or just kept in
> runtime memory?

I have not tried HSTS myself but libcurl seems to support both the variants.  CURLOPT_HSTS or `curl --hsts ...` specifies a file to read/write the HSTS cache from/to.  CURLOPT_HSTS_CTRL can enable in-memory HSTS cache.  CURLOPT_HSTS{READ,WRITE}FUNCTION can be used to set custom callbacks to read/write the cache.

The current curl/HSTS documentation [1] says:

    Added as experimental in curl 7.74.0. Supported "for real" since 7.77.0.

We have curl-7.76.1 in RHEL-9.

[1] https://curl.se/docs/hsts.html
Comment 12 Jan Pazdziora 2021-10-19 11:41:59 UTC 
Ah, I have curl-7.76.1-12.el9.s390x here, so one release older.

I think it's really up-to-you to decide if you want to support the experimental feature in RHEL 9, and be potentially on the hook of fixing it if needed.
Comment 14 Kamil Dudka 2021-10-19 11:52:17 UTC 
I am a bit scared now.  Let's disable HSTS completely in RHEL-9 for now and re-enable it in libcurl-minimal in Fedora only.  Thank you both for feedback!
Comment 15 Kamil Dudka 2021-10-26 15:33:47 UTC 
I have re-enabled HSTS in curl-7.79.1-3.fc36 in Fedora:

    https://src.fedoraproject.org/rpms/curl/c/94a3e807

I double-checked the changes in libcurl-full between curl-7.76.1-1{2,3}.el9 and HSTS was the only difference, which is going to be reverted in a subsequent build.
Comment 16 Kamil Dudka 2021-10-26 15:40:58 UTC 
(In reply to Kamil Dudka from comment #15)
> I double-checked the changes in libcurl-full between curl-7.76.1-1{2,3}.el9
> and HSTS was the only difference, which is going to be reverted in a
> subsequent build.

CentOS Stream merge request: https://gitlab.com/redhat/centos-stream/rpms/curl/-/merge_requests/13
Comment 21 errata-xmlrpc 2022-05-17 15:47:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: curl), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3909
Note You need to log in before you can comment on or make changes to this bug.