2252034 – (CVE-2023-46219) CVE-2023-46219 curl: excessively long file name may lead to unknown HSTS status

Bug 2252034 (CVE-2023-46219) - CVE-2023-46219 curl: excessively long file name may lead to unknown HSTS status

Summary: CVE-2023-46219 curl: excessively long file name may lead to unknown HSTS status

Keywords:
Status:	NEW
Alias:	CVE-2023-46219
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2254386 2253143
Blocks:	2252024
TreeView+	depends on / blocked

Reported:	2023-11-29 06:18 UTC by Marian Rehak
Modified:	2024-03-18 16:34 UTC (History)
CC List:	18 users (show)
Fixed In Version:	curl 8.5.0
Doc Type:	If docs needed, set a value
Doc Text:	A security bypass flaw was found in Curl, which can be triggered by saving HSTS data to an excessively long file name. This issue occurs due to an error in handling HSTS long file names, leading to the removal of all contents from the file during the save process, and may allow a remote attacker to send a specially crafted request to use files without awareness of the HSTS status and enable a Man-in-the-Middle (MitM) attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1316	0	None	None	None	2024-03-18 16:34:04 UTC
Red Hat Product Errata	RHSA-2024:1317	0	None	None	None	2024-03-18 16:22:26 UTC

Description Marian Rehak 2023-11-29 06:18:05 UTC

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. The reason for this bug is that save function appended a suffix to the file name, created a temporary file and then in the last step renamed that to the final name. When the file name length was close to the limit of what is allowed on the file system, adding the extension would make it too long and then trigger this bug.

Comment 1 Pedro Sampaio 2023-12-06 09:40:10 UTC

This is public now:

https://seclists.org/oss-sec/2023/q4/262
https://daniel.haxx.se/blog/2023/12/06/curl-8-5-0/

Comment 2 Pedro Sampaio 2023-12-06 09:40:28 UTC

Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2253143]

Comment 5 errata-xmlrpc 2024-03-18 16:22:24 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317

Comment 6 errata-xmlrpc 2024-03-18 16:34:03 UTC

This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:1316 https://access.redhat.com/errata/RHSA-2024:1316

Note You need to log in before you can comment on or make changes to this bug.