Arch Linux Security Advisory ASA-202107-59 ========================================== Severity: Medium Date : 2021-07-21 CVE-ID : CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 Package : curl Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2194 Summary ======= The package curl before version 7.78.0-1 is vulnerable to multiple issues including information disclosure and insufficient validation. Resolution ========== Upgrade to 7.78.0-1. # pacman -Syu "curl>=7.78.0-1" The problems have been fixed upstream in version 7.78.0. Workaround ========== CVE-2021-22922 and CVE-2021-22923 can be mitigated by making sure not to use metalink with curl. CVE-2021-22925 can be mitigated by avoiding to use the -t command line option and CURLOPT_TELNETOPTIONS. No known workaround exists for CVE-2021-22924. Description =========== - CVE-2021-22922 (insufficient validation) A security issue has been found in curl before version 7.78.0. When curl is instructed to download content using the metalink feature, the contents is verified against a hash provided in the metalink XML file. The metalink XML file points out to the client how to get the same content from a set of different URLs, potentially hosted by different servers and the client can then download the file from one or several of them in a serial or parallel manner. If one of the servers hosting the contents has been breached and the contents of the specific file on that server is replaced with a modified payload, curl should detect this when the hash of the file mismatches after a completed download. It should remove the contents and instead try getting the contents from another URL. This is not done, and instead such a hash mismatch is only mentioned in text and the potentially malicious content is kept in the file on disk. There's a risk the user doesn't notice the message and instead assumes the file is fine. This flaw exists only in the curl tool. libcurl is not affected. - CVE-2021-22923 (information disclosure) A security issue has been found in curl before version 7.78.0 When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from; often contrary to the user's expectations and intentions and without telling the user it happened. This flaw exists only in the curl tool. libcurl is not affected. - CVE-2021-22924 (insufficient validation) A security issue has been found in curl before version 7.78.0. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take 'issuer cert' into account and it compared the involved paths case insensitively, which could lead to libcurl reusing wrong connections. File paths are, or can be, case sensitive on many systems but not all, and can even vary depending on used file systems. The comparison also didn't include the 'issuer cert' which a transfer can set to qualify how to verify the server certificate. - CVE-2021-22925 (information disclosure) A security issue has been found in curl before version 7.78.0. curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEW_ENV variables, libcurl before version 7.78.0 could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol. This could happen because curl did not call and use sscanf() correctly when parsing the string provided by the application. The previous curl security vulnerability CVE-2021-22898 is almost identical to this one but the fix was insufficient so this security vulnerability remained. Impact ====== curl could disclose information credentials or potentially sensitive memory contents to a remote server when the metalink feature or an uncommon option for TELNET servers is used. Additionally, curl did not sufficiently verify the hashes of files downloaded using metalink and the 'issuer cert' when reusing connections. References ========== https://curl.se/docs/CVE-2021-22922.html https://github.com/curl/curl/pull/7176 https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693 https://curl.se/docs/CVE-2021-22923.html https://curl.se/docs/CVE-2021-22924.html https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161 https://curl.se/docs/CVE-2021-22925.html https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a https://security.archlinux.org/CVE-2021-22922 https://security.archlinux.org/CVE-2021-22923 https://security.archlinux.org/CVE-2021-22924 https://security.archlinux.org/CVE-2021-22925