Bug 2196793 (CVE-2023-28322) - CVE-2023-28322 curl: more POST-after-PUT confusion
Summary: CVE-2023-28322 curl: more POST-after-PUT confusion
Keywords:
Status: NEW
Alias: CVE-2023-28322
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2203903 2203904 2209338 2209339 2227754 2227755 2233493 2233494
Blocks: 2196613
TreeView+ depends on / blocked
 
Reported: 2023-05-10 09:05 UTC by Marian Rehak
Modified: 2024-04-02 15:55 UTC (History)
17 users (show)

Fixed In Version: curl 8.1.0
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Curl package. This issue may lead to unintended information disclosure by the application.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4354 0 None None None 2023-08-01 08:49:35 UTC
Red Hat Product Errata RHSA-2023:4628 0 None None None 2023-08-15 17:37:21 UTC
Red Hat Product Errata RHSA-2023:4629 0 None None None 2023-08-15 17:40:54 UTC
Red Hat Product Errata RHSA-2023:5598 0 None None None 2023-10-10 15:24:33 UTC
Red Hat Product Errata RHSA-2024:0428 0 None None None 2024-01-24 16:49:14 UTC
Red Hat Product Errata RHSA-2024:0585 0 None None None 2024-01-30 13:24:56 UTC
Red Hat Product Errata RHSA-2024:1601 0 None None None 2024-04-02 15:54:59 UTC

Description Marian Rehak 2023-05-10 09:05:19 UTC
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Comment 2 Marian Rehak 2023-05-23 14:26:40 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2209338]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2209339]

Comment 4 Jan Pazdziora 2023-07-25 16:06:39 UTC
Hello,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE. The CVE page https://access.redhat.com/security/cve/CVE-2023-28322 has Statement

  This vulnerability does not affect the Curl package as shipped in Red Hat Enterprise Linux 6, 7 and 8.

What is the specific reason why RHEL 8 is not affected?

Thank you, Jan

Comment 6 errata-xmlrpc 2023-08-01 08:49:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4354 https://access.redhat.com/errata/RHSA-2023:4354

Comment 7 errata-xmlrpc 2023-08-15 17:37:19 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:4628 https://access.redhat.com/errata/RHSA-2023:4628

Comment 8 errata-xmlrpc 2023-08-15 17:40:52 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:4629 https://access.redhat.com/errata/RHSA-2023:4629

Comment 10 errata-xmlrpc 2023-10-10 15:24:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5598 https://access.redhat.com/errata/RHSA-2023:5598

Comment 13 errata-xmlrpc 2024-01-24 16:49:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0428 https://access.redhat.com/errata/RHSA-2024:0428

Comment 14 errata-xmlrpc 2024-01-30 13:24:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0585 https://access.redhat.com/errata/RHSA-2024:0585

Comment 16 errata-xmlrpc 2024-04-02 15:54:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1601 https://access.redhat.com/errata/RHSA-2024:1601


Note You need to log in before you can comment on or make changes to this bug.