'[oss-security] [SECURITY ADVISORY] CVE-2022-42915: HTTP proxy double-free (curl)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY ADVISORY] CVE-2022-42915: HTTP proxy double-free (curl)
From:       Daniel Stenberg <daniel () haxx ! se>
Date:       2022-10-26 6:26:44
Message-ID: n1srq084-n412-2732-q867-r4ns9q23r570 () unkk ! fr
[Download RAW message or body]

CVE-2022-42915: HTTP proxy double-free
======================================

Project curl Security Advisory, October 26 2022 -
[Permalink](https://curl.se/docs/CVE-2022-42915.html)

VULNERABILITY
-------------

If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it
sets up the connection to the remote server by issuing a `CONNECT` request to
the proxy, and then *tunnels* the rest of protocol through.

An HTTP proxy might refuse this request (HTTP proxies often only allow
outgoing connections to specific port numbers, like 443 for HTTPS) and instead
return a non-200 response code to the client.

Due to flaws in the error/cleanup handling, this could trigger a double-free
in curl if one of the following schemes were used in the URL for the transfer:
`dict`, `gopher`, `gophers`, `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet`

We are not aware of any exploit of this flaw.

INFO
----

The bug was introduced in [this commit](https://github.com/curl/curl/commit/51c0ebcff2140c3).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-42915 to this issue.

CWE-415: Double Free

Severity: medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.77.0 to and including 7.85.0
- Not affected versions: curl < 7.77.0 and >= 7.86.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

[The fix for CVE-2022-42915](https://github.com/curl/curl/commit/55e1875729f9d9fc7315ce)

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 7.86.0

  B - Apply the patch to your local version

  C - Do not do use HTTP proxy

TIMELINE
--------

This issue was reported to the curl project on October 4, 2022. We contacted
distros@openwall on October 18, 2022.

libcurl 7.86.0 was released on October 26 2022, coordinated with the
publication of this advisory.

CREDITS
-------

This report was part of the security audit performed by Trail of Bits.

- Reported-by: Trail of Bits
- Patched-by: Daniel Stenberg

Thanks a lot!

-- 

  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic