1772100 – (CVE-2019-5443) CVE-2019-5443 curl: Windows OpenSSL engine code injection

Bug 1772100 (CVE-2019-5443) - CVE-2019-5443 curl: Windows OpenSSL engine code injection

Summary: CVE-2019-5443 curl: Windows OpenSSL engine code injection

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-5443
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1710621
TreeView+	depends on / blocked

Reported:	2019-11-13 16:07 UTC by Pedro Sampaio
Modified:	2021-02-16 21:03 UTC (History)
CC List:	22 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-04-03 16:31:49 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2019-11-13 16:07:46 UTC

A flaw was found in all versions up to and including 7.65.1_1 of the official curl-for-windows binaries built and hosted by the curl project. A non-privileged user or program can put code and a config file in a known non-privileged path that will make curl automatically run the code on invocation.

Upstream patch:

https://github.com/curl/curl-for-win/commit/51b658a76594942cf1d6f227d8fc4732bb8ec277

References:

https://curl.haxx.se/docs/CVE-2019-5443.html

Comment 1 Pedro Sampaio 2019-11-13 16:07:51 UTC

Acknowledgments:

Name: the Curl project
Upstream: Rich Mirch

Comment 5 Product Security DevOps Team 2020-04-03 16:31:49 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-5443

Note You need to log in before you can comment on or make changes to this bug.

andrew.slice
bodavis
csutherl
dbhole
gzaronik
hhorak
jclere
john.j5live
jorton
kanderso
kdudka
lgao
luhliari
mbabacek
msekleta
mturk
myarboro
omajid
paul
rwagner
twalsh
weli