[Buildroot] [PATCH] package/libcurl: security bump to version 7.79.0

Peter Korsgaard peter at korsgaard.com
Wed Sep 22 08:53:21 UTC 2021


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > - CVE-2021-22945: UAF and double-free in MQTT sending
 >   When sending data to an MQTT server, libcurl could in some circumstances
 >   erroneously keep a pointer to an already freed memory area and both use
 >   that again in a subsequent call to send data and also free it again.

 >   https://curl.se/docs/CVE-2021-22945.html

 > - CVE-2021-22946: Protocol downgrade required TLS bypassed
 >   A user can tell curl to require a successful upgrade to TLS when speaking
 >   to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or
 >   CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl).
 >   This requirement could be bypassed if the server would return a properly
 >   crafted but perfectly legitimate response.

 >   This flaw would then make curl silently continue its operations without
 >   TLS contrary to the instructions and expectations, exposing possibly
 >   sensitive data in clear text over the network.

 >   https://curl.se/docs/CVE-2021-22946.html

 > - CVE-2021-22947: STARTTLS protocol injection via MITM
 >   When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data
 >   securely using STARTTLS to upgrade the connection to TLS level, the server
 >   can still respond and send back multiple responses before the TLS upgrade.
 >   Such multiple "pipelined" responses are cached by curl.  curl would then
 >   upgrade to TLS but not flush the in-queue of cached responses and instead
 >   use and trust the responses it got before the TLS handshake as if they
 >   were authenticated.

 >   Using this flaw, it allows a Man-In-The-Middle attacker to first inject
 >   the fake responses, then pass-through the TLS traffic from the legitimate
 >   server and trick curl into sending data back to the user thinking the
 >   attacker's injected data comes from the TLS-protected server.

 >   Over POP3 and IMAP an attacker can inject fake response data.

 >   https://curl.se/docs/CVE-2021-22947.html

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

7.79.0 unfortunately added a few regressions, which have now been fixed
in 7.79.1:

https://daniel.haxx.se/blog/2021/09/22/curl-7-79-1-patched-up-and-ready/

So I've sent an updated patch for that instead.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list