libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO (https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.6 for RHEL 8 Red Hat OpenShift Service Mesh 2.6 for RHEL 9 Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:1671 https://access.redhat.com/errata/RHSA-2025:1671
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:1673 https://access.redhat.com/errata/RHSA-2025:1673
For RedHat Enterprise Linux 8, RHSA-2025:1673 shows only mysql-related packages as updated, but CVE-2024-7264 is a vulnerability in libcurl, so I would expect libcurl and curl to be among the updated packages in this RHSA. I checked the latest sources in RHEL8 and I do not see libcurl being updated with the upstream patch. Will there be an update for libcurl published for CVE-2024-7264 that includes this fix?
https://access.redhat.com/security/cve/cve-2024-7264 states: > Red Hat build of curl uses OpenSSL, which is not included in the affected list of GnuTLS, Schannel, Secure Transport and mbedTLS. Inspect which TLS backend is in use by running: Can this CVE be marked as "not affected" for RedHat Enterprise Linux 8 and 9.