CVE-2022-43551 – curl: HSTS bypass via IDN
https://notcve.org/view.php?id=CVE-2022-43551
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. • https://hackerone.com/reports/1755083 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230427-0007 https://access.redhat.com/security/cve/CVE-2022-43551 https://bugzilla.redhat.com/show_bug.cgi?id=2152639 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2022-36227 – libarchive: NULL pointer dereference in archive_write.c
https://notcve.org/view.php?id=CVE-2022-36227
In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution." En libarchive anterior a 3.6.2, el software no busca un error después de llamar a la función calloc que puede regresar con un puntero NULL si la función falla, lo que conduce a una desreferencia del puntero NULL resultante. NOTA: el descubridor cita este comentario CWE-476, pero terceros cuestionan el impacto de la ejecución del código: "En raras circunstancias, cuando NULL es equivalente a la dirección de memoria 0x0 y el código privilegiado puede acceder a ella, entonces es posible escribir o leer la memoria, lo cual puede llevar a la ejecución del código." A flaw was found in libarchive. • https://bugs.gentoo.org/882521 https://github.com/libarchive/libarchive/blob/v3.0.0a/libarchive/archive_write.c#L215 https://github.com/libarchive/libarchive/issues/1754 https://lists.debian.org/debian-lts-announce/2023/01/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V67OO2UUQAUJS3IK4JZPF6F3LUCBU6IS https://security.gentoo.org/glsa/202309-14 https://access.redhat.com/security/cve/CVE-2022-36227 https://bugzilla.redhat.com/show_bug.cgi • CWE-476: NULL Pointer Dereference •
CVE-2022-32221 – curl: POST following PUT confusion
https://notcve.org/view.php?id=CVE-2022-32221
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. Al realizar transferencias HTTP(S), libcurl podría usar erróneamente la devolución de llamada de lectura (`CURLOPT_READFUNCTION`) para solicitar datos para enviar, incluso cuando se haya configurado la opción `CURLOPT_POSTFIELDS`, si anteriormente se usó el mismo identificador para emitir un `PUT `solicitud que utilizó esa devolución de llamada. Esta falla puede sorprender a la aplicación y hacer que se comporte mal y envíe datos incorrectos o use memoria después de liberarla o algo similar en la solicitud "POST" posterior. • http://seclists.org/fulldisclosure/2023/Jan/19 http://seclists.org/fulldisclosure/2023/Jan/20 http://www.openwall.com/lists/oss-security/2023/05/17/4 https://hackerone.com/reports/1704017 https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html https://security.gentoo.org/glsa/202212-01 https://security.netapp.com/advisory/ntap-20230110-0006 https://security.netapp.com/advisory/ntap-20230208-0002 https://support.apple.com/kb/HT213604 https://support.apple.com/k • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-440: Expected Behavior Violation CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2022-42916 – curl: HSTS bypass via IDN
https://notcve.org/view.php?id=CVE-2022-42916
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. En curl anterior a 7.86.0, se podía omitir la verificación HSTS para engañarlo y que se quedara con HTTP. • http://seclists.org/fulldisclosure/2023/Jan/19 http://seclists.org/fulldisclosure/2023/Jan/20 http://www.openwall.com/lists/oss-security/2022/12/21/1 https://curl.se/docs/CVE-2022-42916.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorap • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2022-35260
https://notcve.org/view.php?id=CVE-2022-35260
curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. Se puede indicar a curl que analice un archivo `.netrc` en busca de credenciales. Si ese archivo termina en una línea con 4095 letras de espacios consecutivos que no sean espacios en blanco y sin nueva línea, curl primero leerá más allá del final del búfer basado en pila y, si la lectura funciona, escribirá un byte cero más allá de su límite. En la mayoría de los casos, esto causará una falla de segmento o similar, pero las circunstancias también pueden causar resultados diferentes. • http://seclists.org/fulldisclosure/2023/Jan/19 http://seclists.org/fulldisclosure/2023/Jan/20 https://hackerone.com/reports/1721098 https://security.gentoo.org/glsa/202212-01 https://security.netapp.com/advisory/ntap-20230110-0006 https://support.apple.com/kb/HT213604 https://support.apple.com/kb/HT213605 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •