Bug 2196778 (CVE-2023-28319) - CVE-2023-28319 curl: use after free in SSH sha256 fingerprint check
Summary: CVE-2023-28319 curl: use after free in SSH sha256 fingerprint check
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-28319
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2207898 2207896
Blocks: 2196613
TreeView+ depends on / blocked
 
Reported: 2023-05-10 08:32 UTC by Marian Rehak
Modified: 2023-08-21 07:46 UTC (History)
16 users (show)

Fixed In Version: curl 8.1.0
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Curl package. This flaw risks inserting sensitive heap-based data into the error message that users might see or is otherwise leaked and revealed.
Clone Of:
Environment:
Last Closed: 2023-08-15 21:55:20 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4628 0 None None None 2023-08-15 17:37:18 UTC
Red Hat Product Errata RHSA-2023:4629 0 None None None 2023-08-15 17:40:50 UTC

Description Marian Rehak 2023-05-10 08:32:47 UTC 
libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.
Comment 2 Marian Rehak 2023-05-17 08:57:13 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2207896]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2207898]
Comment 4 Jan Pazdziora 2023-07-25 16:22:28 UTC 
Hello,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE. The CVE page https://access.redhat.com/security/cve/CVE-2023-28319 has Statement

  This vulnerability does not affect the Curl package as shipped in Red Hat Enterprise Linux 6, 7, 8 and 9.

What is the specific reason why RHEL 8 is not affected?

Thank you, Jan
Comment 5 Kamil Dudka 2023-07-25 16:36:49 UTC 
Not that I was asked but it is the same reason that is stated in bug #2207896 comment #2.
Comment 6 Jan Pazdziora 2023-07-25 16:59:56 UTC 
Perfect, thanks Kamil.
Comment 7 errata-xmlrpc 2023-08-15 17:37:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:4628 https://access.redhat.com/errata/RHSA-2023:4628
Comment 8 errata-xmlrpc 2023-08-15 17:40:49 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:4629 https://access.redhat.com/errata/RHSA-2023:4629
Comment 9 Product Security DevOps Team 2023-08-15 21:55:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-28319
Note You need to log in before you can comment on or make changes to this bug.