[Buildroot] [PATCH] package/libcurl: security bump to version 7.79.0
Peter Korsgaard
peter at korsgaard.com
Wed Sep 22 08:53:21 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2021-22945: UAF and double-free in MQTT sending
> When sending data to an MQTT server, libcurl could in some circumstances
> erroneously keep a pointer to an already freed memory area and both use
> that again in a subsequent call to send data and also free it again.
> https://curl.se/docs/CVE-2021-22945.html
> - CVE-2021-22946: Protocol downgrade required TLS bypassed
> A user can tell curl to require a successful upgrade to TLS when speaking
> to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or
> CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl).
> This requirement could be bypassed if the server would return a properly
> crafted but perfectly legitimate response.
> This flaw would then make curl silently continue its operations without
> TLS contrary to the instructions and expectations, exposing possibly
> sensitive data in clear text over the network.
> https://curl.se/docs/CVE-2021-22946.html
> - CVE-2021-22947: STARTTLS protocol injection via MITM
> When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data
> securely using STARTTLS to upgrade the connection to TLS level, the server
> can still respond and send back multiple responses before the TLS upgrade.
> Such multiple "pipelined" responses are cached by curl. curl would then
> upgrade to TLS but not flush the in-queue of cached responses and instead
> use and trust the responses it got before the TLS handshake as if they
> were authenticated.
> Using this flaw, it allows a Man-In-The-Middle attacker to first inject
> the fake responses, then pass-through the TLS traffic from the legitimate
> server and trick curl into sending data back to the user thinking the
> attacker's injected data comes from the TLS-protected server.
> Over POP3 and IMAP an attacker can inject fake response data.
> https://curl.se/docs/CVE-2021-22947.html
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
7.79.0 unfortunately added a few regressions, which have now been fixed
in 7.79.1:
https://daniel.haxx.se/blog/2021/09/22/curl-7-79-1-patched-up-and-ready/
So I've sent an updated patch for that instead.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list