Bug 2167815 (CVE-2023-23916) - CVE-2023-23916 curl: HTTP multi-header compression denial of service
Summary: CVE-2023-23916 curl: HTTP multi-header compression denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-23916
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2168945 2168946 2168947 2168948 2168949 2170751 2170752 2183171 2186165 2214846
Blocks: 2167792
TreeView+ depends on / blocked
 
Reported: 2023-02-07 15:56 UTC by Marian Rehak
Modified: 2023-07-18 08:28 UTC (History)
18 users (show)

Fixed In Version: curl 7.88.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.
Clone Of:
Environment:
Last Closed: 2023-06-06 14:27:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1825 0 None None None 2023-04-18 16:52:58 UTC
Red Hat Product Errata RHSA-2023:1140 0 None None None 2023-03-07 13:48:21 UTC
Red Hat Product Errata RHSA-2023:1701 0 None None None 2023-04-11 14:25:52 UTC
Red Hat Product Errata RHSA-2023:1842 0 None None None 2023-04-18 16:34:39 UTC
Red Hat Product Errata RHSA-2023:3354 0 None None None 2023-06-05 11:51:08 UTC
Red Hat Product Errata RHSA-2023:3355 0 None None None 2023-06-05 11:47:20 UTC
Red Hat Product Errata RHSA-2023:3460 0 None None None 2023-06-06 08:30:49 UTC
Red Hat Product Errata RHSA-2023:4139 0 None None None 2023-07-18 08:28:54 UTC

Description Marian Rehak 2023-02-07 15:56:09 UTC 
curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
Comment 3 TEJ RATHI 2023-02-17 07:52:23 UTC 
This CVE is public now.
https://curl.se/docs/CVE-2023-23916.html
Comment 4 TEJ RATHI 2023-02-17 07:53:02 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2170751]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2170752]
Comment 5 errata-xmlrpc 2023-03-07 13:48:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1140 https://access.redhat.com/errata/RHSA-2023:1140
Comment 11 errata-xmlrpc 2023-04-11 14:25:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1701 https://access.redhat.com/errata/RHSA-2023:1701
Comment 13 errata-xmlrpc 2023-04-18 16:34:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1842 https://access.redhat.com/errata/RHSA-2023:1842
Comment 14 errata-xmlrpc 2023-06-05 11:47:18 UTC 
This issue has been addressed in the following products:

  JBCS httpd 2.4.51.sp2

Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355
Comment 15 errata-xmlrpc 2023-06-05 11:51:05 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354
Comment 16 errata-xmlrpc 2023-06-06 08:30:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:3460 https://access.redhat.com/errata/RHSA-2023:3460
Comment 17 Product Security DevOps Team 2023-06-06 14:27:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-23916
Comment 19 errata-xmlrpc 2023-07-18 08:28:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4139 https://access.redhat.com/errata/RHSA-2023:4139
Note You need to log in before you can comment on or make changes to this bug.