Bug 1005645 - (CVE-2016-8623) VUL-0: CVE-2016-8623: curl: Use-after-free via shared cookies
(CVE-2016-8623)
VUL-0: CVE-2016-8623: curl: Use-after-free via shared cookies
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-8623:2.6:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-19 14:45 UTC by Johannes Segitz
Modified: 2019-05-29 07:21 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-10-19 14:45:44 UTC
Use-after-free via shared cookies
=================================

Project cURL Security Advisory, November 2, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161102I.html)

VULNERABILITY
-------------

libcurl explicitly allows users to share cookies between multiple easy handles
that are concurrently employed by different threads.

When cookies to be sent to a server are collected, the matching function
collects all cookies to send and the cookie lock is released immediately
afterwards. That funcion however only returns a list with *references* back to
the original strings for name, value, path and so on. Therefore, if another
thread quickly takes the lock and frees one of the original cookie structs
together with its strings, a use-after-free can occur and lead to information
disclosure. Another thread can also replace the contents of the cookies from
separate HTTP responses or API calls.

We are not aware of any exploit of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-XXXX to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following curl versions:

- Affected versions: curl 7.10.7 to and including 7.50.3
- Not affected versions: curl < 7.10.7 and curl >= 7.51.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.51.0, the function returning the cookies make deep copies.

A [patch for CVE-2016-XXXX](https://curl.haxx.se/s3c/I.patch) is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.51.0

  B - Apply the patch to your version and rebuild

  C - Do not share cookies between threads

TIME LINE
---------

It was first reported to the curl project on September 23 by Cure53.

We contacted distros@openwall on October 19.

curl 7.51.0 was released on November 2 2016, coordinated with the publication
of this advisory.

CREDITS
-------

his vulnerability was found during a Secure Open Source audit performed by
Cure53.
Comment 1 Johannes Segitz 2016-10-19 14:45:53 UTC
From: Daniel Stenberg
We intend to publish the advisories, the patches and announce the new
release (7.51.0) with all of these problems fixed on November 2nd.

CRD: 2016-11-02
Comment 2 Swamp Workflow Management 2016-10-19 22:05:21 UTC
bugbot adjusting priority
Comment 9 Swamp Workflow Management 2016-11-02 15:09:19 UTC
SUSE-SU-2016:2699-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    curl-7.37.0-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    curl-7.37.0-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    curl-7.37.0-31.1
Comment 10 Swamp Workflow Management 2016-11-02 15:11:00 UTC
SUSE-SU-2016:2700-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,997420,998760
CVE References: CVE-2016-5420,CVE-2016-7141,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.47.2
Comment 11 Swamp Workflow Management 2016-11-03 14:09:48 UTC
SUSE-SU-2016:2714-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.64.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.64.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.19.7-1.64.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.64.1
Comment 12 Swamp Workflow Management 2016-11-04 10:06:00 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-11-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63187
Comment 13 Swamp Workflow Management 2016-11-10 16:08:04 UTC
openSUSE-SU-2016:2768-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
openSUSE Leap 42.1 (src):    curl-7.37.0-16.1
Comment 14 Sebastian Krahmer 2016-11-14 12:58:48 UTC
released