main/curl: multiple vulnerabilities (CVE-2021-22897, CVE-2021-22898, CVE-2021-22901)
CVE-2021-22897: schannel cipher selection surprise
libcurl lets applictions specify which specific TLS ciphers to use in transfers, using the option called CURLOPT_SSL_CIPHER_LIST. The cipher selection is used for the TLS negotation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
Due to a mistake in the code, the selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
No impact on Alpine, since this exploits the schannel TLS backend (which Alpine doesn't use).
CVE-2021-22898: TELNET stack contents disclosure
curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers.
Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.
Present in curl >= 7.7 (i.e. all supported versions of Alpine); fixed in 7.77.0.
CVE-2021-22901: TLS session caching disaster
libcurl can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client.
OpenSSL can declare a "new session" for different reasons, including the initial TLS handshake completion, TLS 1.2 (or earlier) renegotiation, or TLS 1.3 client certificate requests. When libcurl at run-time sets up support for session ID caching on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when OpenSSL considers a new session to be established.
However, if the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
Present in curl >= 7.75.0 (Alpine >= 3.12); fixed in 7.77.0.
Branches
-
master
- !21780 (merged) (version bump to 7.77.0), !21812 (merged) (correct secfix for CVE-2021-22897) -
3.13-stable
- !21781 (merged) (version bump to 7.77.0), !21813 (merged) (correct secfix for CVE-2021-22897) -
3.12-stable
- !21783 (merged) (version bump to 7.77.0), !21814 (merged) (correct secfix for CVE-2021-22897) -
3.11-stable
- !21790 (merged) (cherry-pick CVE-2021-22898 patch from upstream), !21810 (merged) (add secfix for CVE-2021-22897) -
3.10-stable
- !21791 (merged) (cherry-pick CVE-2021-22898 patch from upstream), !21811 (merged) (add secfix for CVE-2021-22897)