Bug 1199223 (CVE-2022-27781)

Summary: VUL-0: CVE-2022-27781: curl: CERTINFO never-ending busy-loop (4/6)
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, gianluca.gabrielli, simonf.lees
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/330789/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-27781:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) https://smash.suse.de/issue/330789/
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 4 Gianluca Gabrielli 2022-05-11 07:02:30 UTC 
Public.


CERTINFO never-ending busy-loop
===============================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27781.html)

VULNERABILITY
-------------

libcurl provides the `CURLOPT_CERTINFO` option to allow applications to
request details to be returned about a TLS server's certificate chain.

Due to an erroneous function, a malicious server could make libcurl built with
NSS get stuck in a never-ending busy-loop when trying to retrieve that
information.

We are not aware of any exploit of this flaw.

INFO
----

This flaw was introduced in [commit
f6c335d63f](https://github.com/curl/curl/commit/f6c335d63f), shipped in curl
7.34.0 when libcurl added support for CERTINFO using NSS.

This feature is not accessible from the command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-27781 to this issue.

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.34.0 to and including 7.83.0
- Not affected versions: curl < 7.34.0 and curl >= 7.83.1

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A [fix for CVE-2022-27781](https://github.com/curl/curl/commit/5c7da89d404bf59)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.83.1

 B - Apply the patch to your local version

 C - Do not use the `CURLOPT_CERTINFO` option

TIMELINE
--------

This issue was reported to the curl project on April 30, 2022. We contacted
distros@openwall on May 5.

libcurl 7.83.1 was released on May 11 2022, coordinated with the publication
of this advisory.

CREDITS
-------

This issue was reported by Florian Kohnhäuser. Patched by Daniel Stenberg.

Thanks a lot!

-- 

 / daniel.haxx.se
 | Commercial curl support up to 24x7 is available!
 | Private help, bug fixes, support, ports, new features
 | https://curl.se/support.html
Comment 6 David Anes 2022-05-13 07:04:06 UTC 
Everything was done. Sent it back to security team.
Comment 9 Swamp Workflow Management 2022-05-18 19:15:26 UTC 
SUSE-SU-2022:1733-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224
CVE References: CVE-2022-27781,CVE-2022-27782
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    curl-7.37.0-37.76.1
SUSE OpenStack Cloud 8 (src):    curl-7.37.0-37.76.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    curl-7.37.0-37.76.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    curl-7.37.0-37.76.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    curl-7.37.0-37.76.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    curl-7.37.0-37.76.1
HPE Helion Openstack 8 (src):    curl-7.37.0-37.76.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-05-23 13:18:10 UTC 
SUSE-SU-2022:1805-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224
CVE References: CVE-2022-27781,CVE-2022-27782
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    curl-7.60.0-11.40.2
SUSE Linux Enterprise Server 12-SP5 (src):    curl-7.60.0-11.40.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-05-27 13:19:55 UTC 
SUSE-SU-2022:1870-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224
CVE References: CVE-2022-27781,CVE-2022-27782
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    curl-7.66.0-150200.4.33.1
SUSE Manager Server 4.1 (src):    curl-7.66.0-150200.4.33.1
SUSE Manager Retail Branch Server 4.1 (src):    curl-7.66.0-150200.4.33.1
SUSE Manager Proxy 4.1 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Micro 5.2 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Micro 5.1 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    curl-7.66.0-150200.4.33.1
SUSE Enterprise Storage 7 (src):    curl-7.66.0-150200.4.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-08-16 13:20:29 UTC 
SUSE-SU-2022:2813-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224,1200735,1200737
CVE References: CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    curl-7.60.0-4.38.1
SUSE OpenStack Cloud 9 (src):    curl-7.60.0-4.38.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    curl-7.60.0-4.38.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    curl-7.60.0-4.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-08-17 16:18:51 UTC 
SUSE-SU-2022:2829-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224,1200735,1200737
CVE References: CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server for SAP 15 (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    curl-7.60.0-150000.33.1
SUSE Enterprise Storage 6 (src):    curl-7.60.0-150000.33.1
SUSE CaaS Platform 4.0 (src):    curl-7.60.0-150000.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Gianluca Gabrielli 2022-08-23 07:38:01 UTC 
Thanks, we can now close it.