Arch Linux Security Advisory ASA-202107-59
==========================================

Severity: Medium
Date    : 2021-07-21
CVE-ID  : CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925
Package : curl
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2194

Summary
=======

The package curl before version 7.78.0-1 is vulnerable to multiple
issues including information disclosure and insufficient validation.

Resolution
==========

Upgrade to 7.78.0-1.

# pacman -Syu "curl>=7.78.0-1"

The problems have been fixed upstream in version 7.78.0.

Workaround
==========

CVE-2021-22922 and CVE-2021-22923 can be mitigated by making sure not
to use metalink with curl. CVE-2021-22925 can be mitigated by avoiding
to use the -t command line option and CURLOPT_TELNETOPTIONS. No known
workaround exists for CVE-2021-22924.

Description
===========

- CVE-2021-22922 (insufficient validation)

A security issue has been found in curl before version 7.78.0. When
curl is instructed to download content using the metalink feature, the
contents is verified against a hash provided in the metalink XML file.
The metalink XML file points out to the client how to get the same
content from a set of different URLs, potentially hosted by different
servers and the client can then download the file from one or several
of them in a serial or parallel manner.

If one of the servers hosting the contents has been breached and the
contents of the specific file on that server is replaced with a
modified payload, curl should detect this when the hash of the file
mismatches after a completed download. It should remove the contents
and instead try getting the contents from another URL. This is not
done, and instead such a hash mismatch is only mentioned in text and
the potentially malicious content is kept in the file on disk. There's
a risk the user doesn't notice the message and instead assumes the file
is fine.

This flaw exists only in the curl tool. libcurl is not affected.

- CVE-2021-22923 (information disclosure)

A security issue has been found in curl before version 7.78.0 When curl
is instructed to get content using the metalink feature, and a user
name and password are used to download the metalink XML file, those
same credentials are then subsequently passed on to each of the servers
from which curl will download or try to download the contents from;
often contrary to the user's expectations and intentions and without
telling the user it happened.

This flaw exists only in the curl tool. libcurl is not affected.

- CVE-2021-22924 (insufficient validation)

A security issue has been found in curl before version 7.78.0. libcurl
keeps previously used connections in a connection pool for subsequent
transfers to reuse, if one of them matches the setup. Due to errors in
the logic, the config matching function did not take 'issuer cert' into
account and it compared the involved paths case insensitively, which
could lead to libcurl reusing wrong connections. File paths are, or can
be, case sensitive on many systems but not all, and can even vary
depending on used file systems. The comparison also didn't include the
'issuer cert' which a transfer can set to qualify how to verify the
server certificate.

- CVE-2021-22925 (information disclosure)

A security issue has been found in curl before version 7.78.0. curl
supports the -t command line option, known as CURLOPT_TELNETOPTIONS in
libcurl. This rarely used option is used to send variable=content pairs
to TELNET servers. Due to flaw in the option parser for sending NEW_ENV
variables, libcurl before version 7.78.0 could be made to pass on
uninitialized data from a stack based buffer to the server. Therefore
potentially revealing sensitive internal information to the server
using a clear-text network protocol. This could happen because curl did
not call and use sscanf() correctly when parsing the string provided by
the application.

The previous curl security vulnerability CVE-2021-22898 is almost
identical to this one but the fix was insufficient so this security
vulnerability remained.

Impact
======

curl could disclose information credentials or potentially sensitive
memory contents to a remote server when the metalink feature or an
uncommon option for TELNET servers is used. Additionally, curl did not
sufficiently verify the hashes of files downloaded using metalink and
the 'issuer cert' when reusing connections.

References
==========

https://curl.se/docs/CVE-2021-22922.html
https://github.com/curl/curl/pull/7176
https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37d36f911693
https://curl.se/docs/CVE-2021-22923.html
https://curl.se/docs/CVE-2021-22924.html
https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161
https://curl.se/docs/CVE-2021-22925.html
https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a
https://security.archlinux.org/CVE-2021-22922
https://security.archlinux.org/CVE-2021-22923
https://security.archlinux.org/CVE-2021-22924
https://security.archlinux.org/CVE-2021-22925