Arch Linux Security Advisory ASA-202106-6
========================================
Severity: High
Date    : 2021-06-01
CVE-ID  : CVE-2021-22898 CVE-2021-22901
Package : libcurl-compat
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1997

Summary
======
The package libcurl-compat before version 7.77.0-1 is vulnerable to
multiple issues including arbitrary code execution and information
disclosure.

Resolution
=========
Upgrade to 7.77.0-1.

# pacman -Syu "libcurl-compat>=7.77.0-1"

The problems have been fixed upstream in version 7.77.0.

Workaround
=========
- CVE-2021-22898 can be mitigated by avoiding to use the -t command
line option and CURLOPT_TELNETOPTIONS.
- No known workaround exists for CVE-2021-22901.

Description
==========
- CVE-2021-22898 (information disclosure)

A security issue has been found in curl before version 7.77.0. curl
supports the -t command line option, known as CURLOPT_TELNETOPTIONS in
libcurl. This rarely used option is used to send variable=content pairsto TELNET servers. Due to flaw in the option parser for sending NEW_ENV
variables, libcurl could be made to pass on uninitialized data from a
stack based buffer to the server. Therefore potentially revealing
sensitive internal information to the server using a clear-text network
protocol.

- CVE-2021-22901 (arbitrary code execution)

libcurl before version 7.77.0 can be tricked into using already freed
memory when a new TLS session is negotiated or a client certificate is
requested on an existing connection. For example, this can happen when
a TLS server requests a client certificate on a connection that was
established without one. A malicious server can use this in rare
unfortunate circumstances to potentially reach remote code execution in
the client. The flaw can only happen in libcurl built to use OpenSSL.

Impact
=====
curl could disclose potentially sensitive memory information to a
remote server over Telnet when an uncommon option is used.
Additionally, a remote attacker could cause arbitrary code execution
through a crafted TLS handshake.

References
=========
https://curl.se/docs/CVE-2021-22898.html
https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde
https://curl.se/docs/CVE-2021-22901.html
https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479
https://security.archlinux.org/CVE-2021-22898
https://security.archlinux.org/CVE-2021-22901

ArchLinux: 202106-6: libcurl-compat: multiple issues

June 3, 2021

Summary

- CVE-2021-22898 (information disclosure) A security issue has been found in curl before version 7.77.0. curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairsto TELNET servers. Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.
- CVE-2021-22901 (arbitrary code execution)
libcurl before version 7.77.0 can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. The flaw can only happen in libcurl built to use OpenSSL.

Resolution

Upgrade to 7.77.0-1. # pacman -Syu "libcurl-compat>=7.77.0-1"
The problems have been fixed upstream in version 7.77.0.

References

https://curl.se/docs/CVE-2021-22898.html https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde https://curl.se/docs/CVE-2021-22901.html https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479 https://security.archlinux.org/CVE-2021-22898 https://security.archlinux.org/CVE-2021-22901

Severity
Package : libcurl-compat
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1997

Workaround

- CVE-2021-22898 can be mitigated by avoiding to use the -t commandline option and CURLOPT_TELNETOPTIONS.- No known workaround exists for CVE-2021-22901.

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved