#13945: curl-7.72.0
-------------------------+-----------------------
Reporter: renodr | Owner: blfs-book
Type: enhancement | Status: new
Priority: high | Milestone: 10.1
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-----------------------
New minor version
{{{
curl and libcurl 7.72.0
Public curl releases: 194
Command line options: 232
curl_easy_setopt() options: 277
Public functions in libcurl: 82
Contributors: 2239
This release includes the following changes:
o content_encoding: add zstd decoding support [1]
o CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
[31]
o CURLINFO_EFFECTIVE_METHOD: added [34]
This release includes the following bugfixes:
o CVE-2020-8231: libcurl: wrong connect-only connection [98]
o appveyor: collect libcurl.dll variants with prefix or suffix [38]
o asyn-ares: correct some bad comments [94]
o bearssl: fix build with disabled proxy support [16]
o buildconf: avoid array concatenation in die() [64]
o buildconf: retire ares buildconf invocation
o checksrc: ban gmtime/localtime [40]
o checksrc: invoke script with -D to find .checksrc proper [63]
o CI/azure: install libssh2 for use with msys2-based builds [67]
o CI/azure: unconditionally enable warnings-as-errors with autotools [19]
o CI/macos: enable warnings as errors for CMake builds [4]
o CI/macos: set minimum macOS version [56]
o CI/macos: unconditionally enable warnings-as-errors with autotools [21]
o CI: Add muse CI analyzer [79]
o cirrus-ci: upgrade 11-STABLE to 11.4 [2]
o CMake: don't complain about missing nroff [87]
o CMake: fix test for warning suppressions [17]
o cmake: fix windows xp build [13]
o configure.ac: Sort features name in summary [6]
o configure: allow disabling warnings [26]
o configure: cleanup wolfssl + pkg-config conflicts when cross compiling.
[48]
o configure: show zstd "no" in summary when built without it [49]
o connect: remove redundant message about connect failure [66]
o curl-config: ignore REQUIRE_LIB_DEPS in --libs output [96]
o curl.1: add a few missing valid exit codes [76]
o curl: add %{method} to the -w variables
o curl: improve the existing file check with -J [43]
o curl_multi_setopt: fix compiler warning "result is always false" [42]
o curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated [9]
o CURLINFO_CERTINFO.3: fix typo [3]
o CURLOPT_NOBODY.3: clarify what setting to 0 means [46]
o docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions [18]
o docs: Add video link to docs/CONTRIBUTE.md [95]
o docs: change "web site" to "website" [86]
o docs: clarify MAX_SEND/RECV_SPEED functionality [92]
o docs: Update a few leftover mentions of DarwinSSL [29]
o doh: remove redundant cast [20]
o file2memory: use a define instead of -1 unsigned value [30]
o ftp: don't do ssl_shutdown instead of ssl_close [85]
o ftpserver: don't verify SMTP MAIL FROM names [8]
o getinfo: reset retry-after value in initinfo [51]
o gnutls: repair the build with `CURL_DISABLE_PROXY` [5]
o gtls: survive not being able to get name/issuer [73]
o h2: repair trailer handling [81]
o http2: close the http2 connection when no more requests may be sent [7]
o http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
[11]
o libssh2: s/ssherr/sftperr/ [78]
o libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin [91]
o md(4|5): don't use deprecated macOS functions [23]
o mprintf: Fix dollar string handling [54]
o mprintf: Fix stack overflows [53]
o multi: Condition 'extrawait' is always true [60]
o multi: Remove 10-year old out-commented code [97]
o multi: remove two checks always true [36]
o multi: update comment to say easyp list is linear [44]
o multi_remove_handle: close unused connect-only connections [62]
o ngtcp2: adapt to error code rename [69]
o ngtcp2: adjust to recent sockaddr updates [27]
o ngtcp2: update to modified qlog callback prototype [14]
o nss: fix build with disabled proxy support [32]
o ntlm: free target_info before (re-)malloc [55]
o openssl: fix build with LibreSSL < 2.9.1 [61]
o page-header: provide protocol details in the curl.1 man page [28]
o quiche: handle calling disconnect twice [50]
o runtests.pl: treat LibreSSL and BoringSSL as OpenSSL [59]
o runtests: move the gnutls-serv tests to a dynamic port [74]
o runtests: move the smbserver to use a dynamic port number [71]
o runtests: move the TELNET server to a dynamic port [68]
o runtests: run the DICT server on a random port number [90]
o runtests: run the http2 tests on a random port number [72]
o runtests: support dynamicly base64 encoded sections in tests [75]
o setopt: unset NOBODY switches to GET if still HEAD [47]
o smtp_parse_address: handle blank input string properly [89]
o socks: use size_t for size variable [39]
o strdup: remove the odd strlen check [24]
o test1119: verify stdout in the test [33]
o test1139: make it display the difference on test failures
o test1140: compare stdout [93]
o test1908: treat file as text [83]
o tests/FILEFORMAT.md: mention %HTTP2PORT
o tests/sshserver.pl: fix compatibility with OpenSSH for Windows
o TLS naming: fix more Winssl and Darwinssl leftovers [88]
o tls-max.d: this option is only for TLS-using connections [45]
o tlsv1.3.d. only for TLS-using connections [37]
o tool_doswin: Simplify Windows version detection [57]
o tool_getparam: make --krb option work again [10]
o TrackMemory tests: ignore realloc and free in getenv.c [84]
o transfer: fix data_pending for builds with both h2 and h3 enabled [41]
o transfer: fix memory-leak with CURLOPT_CURLU in a duped handle [15]
o transfer: move retrycount from connect struct to easy handle [77]
o travis/script.sh: fix use of `-n' with unquoted envvar [80]
o travis: add ppc64le and s390x builds [65]
o travis: update quiche builds for new boringssl layout [25]
o url: fix CURLU and location following [70]
o url: silence MSVC warning [12]
o util: silence conversion warnings [22]
o win32: Add Curl_verify_windows_version() to curlx [58]
o WIN32: stop forcing narrow-character API [52]
o windows: add unicode to feature list [35]
o windows: disable Unix Sockets for old mingw [82]
}}}
And for the security advisory:
{{{
VULNERABILITY
-------------
An application that performs multiple requests with libcurl's multi API
and
sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances
experience
that when subsequently using the setup connect-only transfer, libcurl will
pick and use the wrong connection - and instead pick another one the
application has created since then.
`CURLOPT_CONNECT_ONLY` is the option to tell libcurl to not perform an
actual
transfer, only connect. When that operation is completed, libcurl
remembers
which connection it used for that transfer and "easy handle". It remembers
the
connection using a pointer to the internal `connectdata` struct in memory.
If more transfers are then done with the same multi handle before the
connect-only connection is used, leading to the initial connect-only
connection to get closed (for example due to idle time-out) while also new
transfers (and connections) are setup, such a *new* connection might end
up
getting the exact same memory address as the now closed connect-only
connection.
If after those operations, the application then wants to use the original
transfer's connect-only setup to for example use `curl_easy_send()` to
send
raw data over that connection, libcurl could **erroneously** find an
existing
connection still being alive at the address it remembered since before
even
though this is now a new and different connection.
The application could then accidentally send data over that connection
which
wasn't at all intended for that recipient, entirely unknowingly.
We are not aware of any exploit of this flaw.
INFO
----
This bug has existed at least since commit
[c43127414d](https://github.com/curl/curl/commit/c43127414d), first
shipped in
curl 7.29.0.
This flaw cannot trigger for users of the curl tool but only for
applications
using libcurl and the `CURLOPT_CONNECT_ONLY` option.
The flaw only happens if the exact same memory address is re-used again
for
the new connection as for the original connect-only connection.
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
CVE-2020-8231 to this issue.
CWE-825: Expired Pointer Dereference
Severity: Low
AFFECTED VERSIONS
-----------------
- Affected versions: libcurl 7.29.0 to and including 7.71.1
- Not affected versions: libcurl < 7.29.0 and libcurl >= 7.72.0
THE SOLUTION
------------
A [fix for
CVE-2020-8231](https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8)
RECOMMENDATIONS
--------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.72.0
B - Apply the patch on your curl version and rebuild
C - Do not use `CURLOPT_CONNECT_ONLY`
TIMELINE
--------
This issue was first reported to the curl project on July 31, 2020.
This advisory was posted on August 19th 2020.
CREDITS
-------
This issue was reported by Marc Aldorasi. Patched by Daniel Stenberg.
Thanks a lot!
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/13945>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
