ArchLinux: 202106-5: lib32-curl: multiple issues
Summary
- CVE-2021-22898 (information disclosure)
A security issue has been found in curl before version 7.77.0. curl
supports the -t command line option, known as CURLOPT_TELNETOPTIONS in
libcurl. This rarely used option is used to send variable=content pairsto TELNET servers. Due to flaw in the option parser for sending NEW_ENV
variables, libcurl could be made to pass on uninitialized data from a
stack based buffer to the server. Therefore potentially revealing
sensitive internal information to the server using a clear-text network
protocol.
- CVE-2021-22901 (arbitrary code execution)
libcurl before version 7.77.0 can be tricked into using already freed
memory when a new TLS session is negotiated or a client certificate is
requested on an existing connection. For example, this can happen when
a TLS server requests a client certificate on a connection that was
established without one. A malicious server can use this in rare
unfortunate circumstances to potentially reach remote code execution in
the client. The flaw can only happen in libcurl built to use OpenSSL.
Resolution
Upgrade to 7.77.0-1.
# pacman -Syu "lib32-curl>=7.77.0-1"
The problems have been fixed upstream in version 7.77.0.
References
https://curl.se/docs/CVE-2021-22898.html https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde https://curl.se/docs/CVE-2021-22901.html https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479 https://security.archlinux.org/CVE-2021-22898 https://security.archlinux.org/CVE-2021-22901
Workaround
- CVE-2021-22898 can be mitigated by avoiding to use the -t commandline option and CURLOPT_TELNETOPTIONS.- No known workaround exists for CVE-2021-22901.