Bug 1362199 (CVE-2016-5421) - CVE-2016-5421 curl: Use of connection struct after free
Summary: CVE-2016-5421 curl: Use of connection struct after free
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5421
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1363642 1363643 1363644
Blocks: 1362200
TreeView+ depends on / blocked
 
Reported: 2016-08-01 13:51 UTC by Adam Mariš
Modified: 2021-02-17 03:29 UTC (History)
35 users (show)

Fixed In Version: curl 7.50.1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in libcurl. When invoking curl_easy_perform() after cleaning up a multi session, an application can be tricked into using libcurl to connect to a malicious server, allowing an attacker to potentially execute arbitrary code. The highest threat from this vulnerability is to data confidentiality and integrity as well as data confidentiality.
Clone Of:
Environment:
Last Closed: 2016-11-04 08:13:26 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3558 0 None None None 2018-11-13 08:32:15 UTC

Description Adam Mariš 2016-08-01 13:51:21 UTC
A use-after-free vulnerability in libcurl was found. libcurl works with easy handles using the type 'CURL *' that are objects the application creates using curl_easy_init(). They are the handles that are all each associated with a single transfer at a time. libcurl also has an internal struct that represents and holds most state that is related to a single connection. An easy handle can hold references to one or many such connection structs depending on the requested operations.

When using libcurl's multi interface, an application performs transfers by adding one or more easy handles to the multi handle and then it can drive all those transfers in parallel.

Due to a flaw, libcurl could leave a pointer to a freed connection struct dangling in an easy handle that was previously added to a multi handle when curl_multi_cleanup() is called with an easy handle still added to it. This does not seem to cause any notable harm if the handle is then closed properly.

However, if the easy handle would instead get used again with the easy interface and curl_easy_perform() to do another transfer, it would blindly use the connection struct pointer now pointing to freed memory.

An application could be made to allocate its own fake version of the connect struct, fill in some data and then have the curl_easy_perform() call do something that clearly was not intended by the original code.

External Reference:

https://curl.haxx.se/docs/adv_20160803C.html

Comment 1 Adam Mariš 2016-08-03 09:25:16 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1363642]

Comment 2 Adam Mariš 2016-08-03 09:25:26 UTC
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1363643]
Affects: epel-7 [bug 1363644]

Comment 3 Fedora Update System 2016-08-05 20:52:19 UTC
curl-7.47.1-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-08-16 22:20:54 UTC
curl-7.43.0-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 errata-xmlrpc 2018-11-13 08:32:01 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558

Comment 7 Mauro Matteo Cascella 2020-05-08 10:24:15 UTC
Statement:

The versions of `curl` as shipped with Red Hat Enterprise Linux 5, 6, and 7 are marked as "notaffected" because they did not include the vulnerable code, which was introduced in a later version of the package. Specifically, the struct field affected by this flaw was introduced in `curl` upstream version 7.32.0. The version of `curl` as shipped with Red Hat Enterprise Linux 7 is 7.29.0.

Comment 8 Mauro Matteo Cascella 2020-05-08 10:37:51 UTC
Upstream fix:
https://github.com/curl/curl/commit/75dc096e01ef1e21b6c57690d99371dedb2c0b80

Comment 9 Mauro Matteo Cascella 2020-05-08 10:40:39 UTC
This flaw was introduced in upstream version 7.32.0 via the following commit:
https://github.com/curl/curl/commit/09b9fc9009bfe6b7b6fd5ba82e81b4ca76539d8d

More in detail, the affected field `easy_conn` was added in the SessionHandle struct in lib/urldata.h. 
Only libcurl >= 7.32.0 to and including 7.50.0 are affected by this flaw.


Note You need to log in before you can comment on or make changes to this bug.