Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1868032 (CVE-2020-8231)

Summary: CVE-2020-8231 curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andrew.slice, bodavis, cmoore, cwarfiel, dbhole, erik-fedora, gmccullo, hhorak, hvyas, john.j5live, jorton, kanderso, kaycoth, kdudka, luhliari, mike, msekleta, omajid, paul, rwagner, security-response-team, svashisht
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.72.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the `CURLOPT_CONNECT_ONLY` option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:34:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1869752, 1869753, 1869754, 1870092, 1870093, 1870614, 1870615, 1870629    
Bug Blocks:    

Description Pedro Sampaio 2020-08-11 13:11:24 UTC
A flaw was found in libcurl from versions 7.29.0 to and including 7.71.1. An application that performs multiple requests with libcurl's multi API and sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection.

Introducing commit:

https://github.com/curl/curl/commit/c43127414d

Upstream patch:

https://curl.haxx.se/2020-8231.patch

References:

https://curl.haxx.se/docs/CVE-2020-8231.html

Comment 1 Pedro Sampaio 2020-08-11 13:11:30 UTC
Acknowledgments:

Name: the Curl project
Upstream: Marc Aldorasi

Comment 3 Marian Rehak 2020-08-19 10:50:49 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1870092]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1870093]

Comment 8 Kamil Dudka 2020-09-03 15:49:38 UTC
The patch provided by curl upstream applies on curl-7.71.1 whereas RHEL-7 uses curl-7.29.0, which was released in 2013.  10242 commits landed upstream in between the 7.29.0 release and the commit that fixed CVE-2020-8231.  Adapting the fix on a 7 years old code base is a risky task.  Bug #1683292 is a good example of what happens when such a backport goes wrong.  In this case it is also difficult to verify that backported fix actually works.  Is there any reproducer for the security issue in question?

Comment 17 errata-xmlrpc 2021-05-18 13:40:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610

Comment 18 Product Security DevOps Team 2021-05-18 20:34:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8231

Comment 19 Product Security DevOps Team 2021-05-19 02:33:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8231

Comment 20 Red Hat Bugzilla 2023-09-15 00:46:17 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days