curl: wrong connect-only connection (CVE-2020-8231)
An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.
CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and "easy handle". It remembers the connection using a pointer to the internal connectdata struct in memory.
- Affected versions: libcurl 7.29.0 to and including 7.71.1
- Not affected versions: libcurl < 7.29.0 and libcurl >= 7.72.0
References:
- https://curl.haxx.se/docs/CVE-2020-8231.html
- https://www.openwall.com/lists/oss-security/2020/08/19/1
Patch:
https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8
Affected branches:
-
master -
3.12-stable -
3.11-stable -
3.10-stable -
3.9-stable