Bug 2196783 (CVE-2023-28320) - CVE-2023-28320 curl: siglongjmp race condition may lead to crash
Summary: CVE-2023-28320 curl: siglongjmp race condition may lead to crash
Keywords:
Status: NEW
Alias: CVE-2023-28320
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2227747 2227748 2227749 2207897
Blocks: 2196613
TreeView+ depends on / blocked
 
Reported: 2023-05-10 08:50 UTC by Marian Rehak
Modified: 2023-08-16 08:01 UTC (History)
21 users (show)

Fixed In Version: curl 8.1.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-17 14:31:45 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2023-05-10 08:50:35 UTC 
libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.
Comment 1 Marian Rehak 2023-05-17 08:57:13 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-38 [bug 2207897]
Comment 2 Product Security DevOps Team 2023-05-17 14:31:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-28320
Comment 3 Jan Pazdziora 2023-07-25 16:15:51 UTC 
Hello,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE. The CVE page https://access.redhat.com/security/cve/CVE-2023-28320 has Statement

  This vulnerability does not affect versions of the curl package as shipped with Red Hat Enterprise Linux 6,7,8 and 9.

What is the specific reason why RHEL 8 is not affected?

Thank you, Jan
Comment 5 Kamil Dudka 2023-08-10 08:26:10 UTC 
The packaging of curl in Fedora (and consequently in RHEL-7) was switched to the threaded DNS resolver 13 years ago: https://src.fedoraproject.org/rpms/curl/c/438cbdbe

Thanks to this change, our curl packages are not affected by CVE-2023-28320.
Comment 6 Jan Pazdziora 2023-08-10 08:43:13 UTC 
Great, thanks for the confirmation, Kamil.
Comment 7 Marian Rehak 2023-08-16 06:30:53 UTC 
Any question for me? I was tagged in comment #6.
Comment 8 Jan Macku 2023-08-16 06:59:51 UTC 
Marian, the tracker bugs for this CVE could be closed since RHEL is not affected.

see: https://bugzilla.redhat.com/show_bug.cgi?id=2196783#c5
Comment 9 Jan Pazdziora 2023-08-16 08:01:43 UTC 
We now have the informat on the CVE page https://access.redhat.com/security/cve/CVE-2023-28320 reverted from the original "This vulnerability does not affect versions of the curl package as shipped with Red Hat Enterprise Linux 6,7,8 and 9." to RHEL 7 to 9 being listed as Affected ... but based on Kamil's feedback, that should not be the case.

Can you please update the information on the CVE page, incorporating Kamil's justification?

I don't really care about the internal trackers but much but those should likely be NOTABUGed as well.
Note You need to log in before you can comment on or make changes to this bug.